3 LAN, 2 WAN - 2 LAN use 1 WAN, last LAN uses other WAN

Hi,

I can connect one network consisting of a switch & ADSL modem to the
internet (twice) and then join both of these networks together via the
internet. What I want to do is join the networks together before they hit the
internet (physically located in the same building) - because it's a lot
quicker for me to access the other computers via 100Mbit switch then it via
ADSL. I have two switches & two ADSL modems that sit on top of each other. I
need to join these together.

I have a Windows 2008 Std Server with 6 NICs. This is what I want the end
result to be.

LAN
---------
192.168.10.0/24 - CompanyA
192.168.11.0/24 - CompanyB
192.168.12.0/24 - CompanyC

WAN
---------
192.168.0.1 - ADSL Modem 1
192.168.1.1 - ADSL Modem 2
These modems can run in bridge mode if that's a better way to go... They are
just running in PPPoE at the moment.

What I'd really like to do is have all the modems plugged into a switch and
then only using one interface on the server as that will allow me to have 5
network segments. As it stands we have 3 right now, and will have 5 in about
a month with 5 ADSL modems. As mentioned above I can keep them all separate
and link them via the internet but that is WAY slower then if they were all
joined together before they hit the internet. These are 5 companies in the
same building using each others services, which they coud do via the
internet, but again that is slower then connecting directly via a LAN. I'm
effectively the 5th company as I support the other 4.

So I need to have all the nework segments talking to each other - which I've
managed to setup. I then need to be able to specify which network segment
uses which ADSL modem - this is the part I haven't been able to setup yet.
The idea here is that, if one provider goes down I can just switch the
network segments over to the ADSL modems that working and everything keeps
working.

Thanks for your pointers,

ZaneB

 

The DSL and the WANs don't have anything to do with anything.

If all the LANs are in the same building you connect them with normal
ethernet with a LAN Router in between (I mean a "real" router, not a
home-user NAT-box).

You could use a Layer3 Switch which is a LAN Router and a network Switch
built into the same piece of hardware.

*One* nic per machine. Get rid of the 6 nics in the Server.

Networks are separate from computers. Computers live on the network just
like houses live on the streets. But the computers do not become the
network just like houses do not become the streets. A network should
function even if there is not one single computer on it. If you design a
network with that in mind you will be miles ahead.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

 

This is hardly a home user LAN box..
Dual Quad Core, 16GB RAM, W2K8 x64. 150GB RAID1 (OS), 1.36TB RAID10 (Storage)

So beefy because it runs virtual machines - one of these is an nTop box -
for monitoring the network - (hence why I want all internet traffic going
through this server). A SBS2K3 (CompanyA), An Application Server (Company A,
Company D [moving in next month]), A dev server (Company C - which is
delveloping things for Company A, B, C & E - again why I want LAN access to
everything)

There are
Company A - 15 PCs, 2 Printers
Company B - 2 PCs
Company C - 4 PCs

They all have 1 NIC each.

Yeah I want everyone who drives into the city to go via one TOLL bridge, not
5 different free roads that meet in the city and avoid my TOLL.

See I follow what your saying - ultimately I don't want to go spend extra
cash on a Layer3 switch - cause I can do what I want to do with Linux & IP
Tables - It's just that Gentoo isn't playing ball with VMWare server so I've
gone back to a Windows host. Now if Linux can route packets - surely windows
can route packets. I just don't know how to configure it. I did cover it it
one of my MCSE classes, but that was 3yrs ago and I've not done much Windows
routing since that class.....

Also I want all internet traffic to flow through a single device that can
audit the traffic. Each company doesn't have it's own internet connection
right now. I don't want any other company on my internet as they slow it
down. I want to be able connect to their computers easily etc.

I need to know how to route:
- Network 192.168.10.0/24 to gateway 192.168.0.1
- Network 192.168.11.0/24 & 192.168.12.0/24 to gateway 192.168.1.1

Which is
NIC1 192.168.10.1 to NIC4 192.168.0.2
NIC2 192.168.11.1 & NIC3 192.168.12.1 to NIC4 192.168.0.2

Thanks.

 

Which is

Messed up that last line it should read
NIC2 192.168.11.1 & NIC3 192.168.12.1 to NIC4 192.168.1.2

 

*One* nic per machine. Get rid of the 6 nics in the Server.
Also the server has 2x1Gb onboard & a QuadPort Intel Card 4x1Gb

 

Another thing where does DHCP fit into this tidbit? I'm not going to
maintain 5 DHCP servers or 5 DNS servers, I'm only going to look after one.
Unless the network segments are physically separate how would you define 5
separate scopes? Even if you had a layer 3 switch wouldn't you need 5 wires
coming out of the switch into 5 separate DHCP holes? In my case this it is a
W2K8 server w/ the DHCP role with 5 subnets on 5 separate NICs. Ultimately I
could setup 5 standalone networks and have 5 of everything required for it to
work then put a layer3 switch in the middle and join it all up - but that is
5 5 5 5 & I just want 1 physical device.

Remember this is growing to what could be 5 separate physical networks if
all the companies weren't converging into the same office space. If we were
all in 5 different locations then I'd just have to live with connecting to
everyone over the internet at 1Mbps...

ZaneB

 

You didn't say in the first post what it was, or at least I couldn't figure
it out by what you wrote. When people say DSL, I assume home user equipment
unless they tell me otherwise.

In the first post you said:
"I have a Windows 2008 Std Server with 6 NICs."
That is what I was refering to.

NT4, both Server or Workstation did it "out of the box" by simply checking a
simple checkbox.

Server 2000 & 2003 need RRAS installed unless you want to hack the crap out
of the registry.

Using RRAS as a LAN Router and using it as a NAT Firewall are two different
functions. I imagine both can be done at the same time, but I have never
done it. RRAS is not going to provide squat for auditing,...it just doesn't
do it.

If the LAN Router between the "businesses" and the Internet "sharing" device
(NAT Firewall) are both the same device it just ain't gonna happen. Routes
are determined by the Destination,..*not* by the Source. You cannot run
things through a single device and then expect the traffic to go to the
Internet over different paths after that. It does not matter how many Nics
you stick in something,...there is still only one Routing Table and that is
where the decision comes from.

Even if you decide to forget about the auditing, and you just want them to
use different Internet "paths", you have to deal with all of the
below.......

With a single LAN Router for all the segments, your Inter-LAN Routing must
be totally separated from anything having anything to do with the Internet.
Then each "business" uses the Firewall they are supposed to use for the
Internet as their Default Gateway. Then the Firewall would have a static
Route that tells everything to use the LAN Router as the "path" for the
other IP Segments. You can't do that if both the LAN Router and the Firewall
are the same device. Keep in mind that some firewall devices may not allow
this because it is considered a "bad idea" to place LAN "routing decisions"
on the Firewall.

The correct topology (but more expensive) would be for each "business" to
have its own LAN Router (3 businesses - 3 LAN Routers). Then the LAN
Routers would be the Default Gateway of each respective business,...the LAN
Routers in turn would use the correct Firewall for that particular business
as the Default Gateway. Then the routing scheme between the businesses
could be handled by Dynamic Routing Protocols or it could be worked out with
a series of Static Routes on the 3 Inter-LAN Routers.

Keep this in mind. Normally with multiple LAN Segments they are all using
the same Internet connection. So all you do is put a LAN Router in the
"center" and a Firewall on the edge of one of the Segments. Then the LAN
Router is everyone's Default Gateway and the Firewall is the Default Gatway
of the LAN Router. Then the Firewall has a Static Route to the LAN Router to
cover the Backward Route. But because these are three separate companies
and you want each to use a separate Internet connection (separate
Firewall),...that is where you are creating all the big complexity.

You can gain some flexability with a "proxy based" Firewall (like MS ISA
Server) at each Internet link, I but I doubt you would consider buying an
ISA Server for each Internet link. But even then there are things that you
just cannot do.

I realize that this isn't giving you the solution you wanted to hear, but
that is the best I can do with it.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

 

I know I have to use RRAS, I'm just not able to make it bend to my will... I
also know RRAS isn't going to do any auditing. I do know that VMWare has
bridge connections which I then use in a Linux VM running nTop which operates
in promiscuous mode and that does the auditing.

Right, so this sounds like Windows (out of the box) isn't able to do source
NAT, only Destination NAT... In linux you could dictate the next hop based on
the source.

Ok, the actual dsl modems are the sharing device in that on one side is the
Internet IP and on the other side is the LAN IP. All I need is a rule that
says ok this packet is from this subnet you should go to this IP next. That
IP would be the LAN IP of the dsl modem. But like I said above its looking
more and more like windows isn't able to make these kinds of decisions.

Yeah - That's what I had in mind, I was trying to do 3 LAN routers in 1 LAN
router. Looks like this isn't possible... Which is odd since it really is
just routing with extra rules - it must be doable - I'll keep searching.
These are the rules just follow them. I need to figure out how I implement
them

If(src network == 192.168.10.1/24) {
GoTo 192.168.1.1 via WAN-NIC
}
If((src network == 192.168.11.1/24 OR src network == 192.168.12.1/24)AND
destination is 0.0.0.0 ) {
GoTo 192.168.2.1 via WAN-NIC
}

That is trival to do in linux using iptables - and there must be a way to do
it in windows

I guess I could make my nTop virtual machine a router.... Damn that's clever
thinking with a capital T - I'll just do that if windows isn't able to do it.

I thought ISA might show its head - yeah I'm not going to pay for that due
to cost and I really don't need it


Thanks for your input Phillip, I appreciate you taking the time to reply.

ZaneB

 

ok - just did a bit more reading and looks like my issue isn't able to be
solved by routing I actually need some sort of firewall... Which will take
care of the filtering. Which is what iptables is - a packet filter.... and
that is what ISA is - Except I don't need something that heavy, or pricey.

 

Correct. But not "becuase" of Windows,...it is because it is not a "natural"
function of TCP/IP. It takes an Application operating at higher levels
(perhaps beyond the OSI Layers) to "overcome" and the "override" the
shortcommings in TCP/IP. Windows just simply has not been built with that
functionality and although RRAS is a "routing package" it has not been
designed nor intended to be that "feature filled".

From what you say, it sounds like IPTables has those abilties to manipulate
the TCP/IP functionality.

No. You need a routing system capable of performing the function of Source
Routing (not Source NAT - BTW). Firewalls are not "routers", although you
can create a firewall out of a router by building ACLs. Your firewall
functionality would occur "upstream" and typically would be the next hop
"target" based on the decision of the downstream router performing the
Source Routing. Continued....

Well IPTables is a routing system (hence the "tables" in the name). It can
perform firewall functions via ACLs and also perform NAT just like any other
real router can do. It sounds like it would probably be the best "cheap"
choice for you if you are familiar with it enough to perform the task, and
it sounds like you probably are. I would recommend a single IPTables box
sitting in the "center" of all the segments with enough Nics in the box to
represent all the segments. Let it make the routing descisions and perform
the Source Routing decisions which will direct the traffic to the correct
Firewall. I just don't know if it will serve the purpose of the auditing
you want to do.

ISA on the other hand is primarily a "proxy based" Firewall and will only
function as a LAN Router in a limited way. It also tends to be heavily
over-restrictive as a LAN Router due to the heavey security focus of the
product. ISA does possess "packet filters" but the term referes to a very
specific things in ISA and the Packet Filters are very limited and are
almost never used,...the other access controls available are a 100 time more
effective than packet filters. Packet Filters were used more often in
ISA2000 but in the years I have worked with ISA2004/2006 I have never
touched them or hardly even went into that part of the MMC at all.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------