3 LAN, 2 WAN - 2 LAN use 1 WAN, last LAN uses other WAN

Discussion in 'Server Networking' started by ZaneB, Feb 25, 2008.

  1. ZaneB

    ZaneB Guest

    Hi,

    I can connect one network consisting of a switch & ADSL modem to the
    internet (twice) and then join both of these networks together via the
    internet. What I want to do is join the networks together before they hit the
    internet (physically located in the same building) - because it's a lot
    quicker for me to access the other computers via 100Mbit switch then it via
    ADSL. I have two switches & two ADSL modems that sit on top of each other. I
    need to join these together.

    I have a Windows 2008 Std Server with 6 NICs. This is what I want the end
    result to be.

    LAN
    ---------
    192.168.10.0/24 - CompanyA
    192.168.11.0/24 - CompanyB
    192.168.12.0/24 - CompanyC

    WAN
    ---------
    192.168.0.1 - ADSL Modem 1
    192.168.1.1 - ADSL Modem 2
    These modems can run in bridge mode if that's a better way to go... They are
    just running in PPPoE at the moment.

    What I'd really like to do is have all the modems plugged into a switch and
    then only using one interface on the server as that will allow me to have 5
    network segments. As it stands we have 3 right now, and will have 5 in about
    a month with 5 ADSL modems. As mentioned above I can keep them all separate
    and link them via the internet but that is WAY slower then if they were all
    joined together before they hit the internet. These are 5 companies in the
    same building using each others services, which they coud do via the
    internet, but again that is slower then connecting directly via a LAN. I'm
    effectively the 5th company as I support the other 4.

    So I need to have all the nework segments talking to each other - which I've
    managed to setup. I then need to be able to specify which network segment
    uses which ADSL modem - this is the part I haven't been able to setup yet.
    The idea here is that, if one provider goes down I can just switch the
    network segments over to the ADSL modems that working and everything keeps
    working.

    Thanks for your pointers,

    ZaneB
     
    ZaneB, Feb 25, 2008
    #1
    1. Advertisements

  2. The DSL and the WANs don't have anything to do with anything.

    If all the LANs are in the same building you connect them with normal
    ethernet with a LAN Router in between (I mean a "real" router, not a
    home-user NAT-box).

    You could use a Layer3 Switch which is a LAN Router and a network Switch
    built into the same piece of hardware.

    *One* nic per machine. Get rid of the 6 nics in the Server.

    Networks are separate from computers. Computers live on the network just
    like houses live on the streets. But the computers do not become the
    network just like houses do not become the streets. A network should
    function even if there is not one single computer on it. If you design a
    network with that in mind you will be miles ahead.


    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, Feb 25, 2008
    #2
    1. Advertisements

  3. ZaneB

    ZaneB Guest

    This is hardly a home user LAN box..
    Dual Quad Core, 16GB RAM, W2K8 x64. 150GB RAID1 (OS), 1.36TB RAID10 (Storage)

    So beefy because it runs virtual machines - one of these is an nTop box -
    for monitoring the network - (hence why I want all internet traffic going
    through this server). A SBS2K3 (CompanyA), An Application Server (Company A,
    Company D [moving in next month]), A dev server (Company C - which is
    delveloping things for Company A, B, C & E - again why I want LAN access to
    everything)
    There are
    Company A - 15 PCs, 2 Printers
    Company B - 2 PCs
    Company C - 4 PCs

    They all have 1 NIC each.
    Yeah I want everyone who drives into the city to go via one TOLL bridge, not
    5 different free roads that meet in the city and avoid my TOLL.

    See I follow what your saying - ultimately I don't want to go spend extra
    cash on a Layer3 switch - cause I can do what I want to do with Linux & IP
    Tables - It's just that Gentoo isn't playing ball with VMWare server so I've
    gone back to a Windows host. Now if Linux can route packets - surely windows
    can route packets. I just don't know how to configure it. I did cover it it
    one of my MCSE classes, but that was 3yrs ago and I've not done much Windows
    routing since that class.....

    Also I want all internet traffic to flow through a single device that can
    audit the traffic. Each company doesn't have it's own internet connection
    right now. I don't want any other company on my internet as they slow it
    down. I want to be able connect to their computers easily etc.

    I need to know how to route:
    - Network 192.168.10.0/24 to gateway 192.168.0.1
    - Network 192.168.11.0/24 & 192.168.12.0/24 to gateway 192.168.1.1

    Which is
    NIC1 192.168.10.1 to NIC4 192.168.0.2
    NIC2 192.168.11.1 & NIC3 192.168.12.1 to NIC4 192.168.0.2

    Thanks.
     
    ZaneB, Feb 25, 2008
    #3
  4. ZaneB

    ZaneB Guest

    Which is
    Messed up that last line it should read
    NIC2 192.168.11.1 & NIC3 192.168.12.1 to NIC4 192.168.1.2
     
    ZaneB, Feb 25, 2008
    #4
  5. ZaneB

    ZaneB Guest

    *One* nic per machine. Get rid of the 6 nics in the Server.
    Also the server has 2x1Gb onboard & a QuadPort Intel Card 4x1Gb
     
    ZaneB, Feb 25, 2008
    #5
  6. ZaneB

    ZaneB Guest

    Another thing where does DHCP fit into this tidbit? I'm not going to
    maintain 5 DHCP servers or 5 DNS servers, I'm only going to look after one.
    Unless the network segments are physically separate how would you define 5
    separate scopes? Even if you had a layer 3 switch wouldn't you need 5 wires
    coming out of the switch into 5 separate DHCP holes? In my case this it is a
    W2K8 server w/ the DHCP role with 5 subnets on 5 separate NICs. Ultimately I
    could setup 5 standalone networks and have 5 of everything required for it to
    work then put a layer3 switch in the middle and join it all up - but that is
    5 5 5 5 & I just want 1 physical device.

    Remember this is growing to what could be 5 separate physical networks if
    all the companies weren't converging into the same office space. If we were
    all in 5 different locations then I'd just have to live with connecting to
    everyone over the internet at 1Mbps...

    ZaneB
     
    ZaneB, Feb 25, 2008
    #6
  7. You didn't say in the first post what it was, or at least I couldn't figure
    it out by what you wrote. When people say DSL, I assume home user equipment
    unless they tell me otherwise.
    In the first post you said:
    "I have a Windows 2008 Std Server with 6 NICs."
    That is what I was refering to.
    NT4, both Server or Workstation did it "out of the box" by simply checking a
    simple checkbox.

    Server 2000 & 2003 need RRAS installed unless you want to hack the crap out
    of the registry.

    Using RRAS as a LAN Router and using it as a NAT Firewall are two different
    functions. I imagine both can be done at the same time, but I have never
    done it. RRAS is not going to provide squat for auditing,...it just doesn't
    do it.
    If the LAN Router between the "businesses" and the Internet "sharing" device
    (NAT Firewall) are both the same device it just ain't gonna happen. Routes
    are determined by the Destination,..*not* by the Source. You cannot run
    things through a single device and then expect the traffic to go to the
    Internet over different paths after that. It does not matter how many Nics
    you stick in something,...there is still only one Routing Table and that is
    where the decision comes from.

    Even if you decide to forget about the auditing, and you just want them to
    use different Internet "paths", you have to deal with all of the
    below.......

    With a single LAN Router for all the segments, your Inter-LAN Routing must
    be totally separated from anything having anything to do with the Internet.
    Then each "business" uses the Firewall they are supposed to use for the
    Internet as their Default Gateway. Then the Firewall would have a static
    Route that tells everything to use the LAN Router as the "path" for the
    other IP Segments. You can't do that if both the LAN Router and the Firewall
    are the same device. Keep in mind that some firewall devices may not allow
    this because it is considered a "bad idea" to place LAN "routing decisions"
    on the Firewall.

    The correct topology (but more expensive) would be for each "business" to
    have its own LAN Router (3 businesses - 3 LAN Routers). Then the LAN
    Routers would be the Default Gateway of each respective business,...the LAN
    Routers in turn would use the correct Firewall for that particular business
    as the Default Gateway. Then the routing scheme between the businesses
    could be handled by Dynamic Routing Protocols or it could be worked out with
    a series of Static Routes on the 3 Inter-LAN Routers.

    Keep this in mind. Normally with multiple LAN Segments they are all using
    the same Internet connection. So all you do is put a LAN Router in the
    "center" and a Firewall on the edge of one of the Segments. Then the LAN
    Router is everyone's Default Gateway and the Firewall is the Default Gatway
    of the LAN Router. Then the Firewall has a Static Route to the LAN Router to
    cover the Backward Route. But because these are three separate companies
    and you want each to use a separate Internet connection (separate
    Firewall),...that is where you are creating all the big complexity.

    You can gain some flexability with a "proxy based" Firewall (like MS ISA
    Server) at each Internet link, I but I doubt you would consider buying an
    ISA Server for each Internet link. But even then there are things that you
    just cannot do.

    I realize that this isn't giving you the solution you wanted to hear, but
    that is the best I can do with it.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp

    Microsoft ISA Server Partners: Partner Hardware Solutions
    http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
    -----------------------------------------------------
     
    Phillip Windell, Feb 25, 2008
    #7
  8. ZaneB

    ZaneB Guest

    I know I have to use RRAS, I'm just not able to make it bend to my will... I
    also know RRAS isn't going to do any auditing. I do know that VMWare has
    bridge connections which I then use in a Linux VM running nTop which operates
    in promiscuous mode and that does the auditing.
    Right, so this sounds like Windows (out of the box) isn't able to do source
    NAT, only Destination NAT... In linux you could dictate the next hop based on
    the source.
    Ok, the actual dsl modems are the sharing device in that on one side is the
    Internet IP and on the other side is the LAN IP. All I need is a rule that
    says ok this packet is from this subnet you should go to this IP next. That
    IP would be the LAN IP of the dsl modem. But like I said above its looking
    more and more like windows isn't able to make these kinds of decisions.
    Yeah - That's what I had in mind, I was trying to do 3 LAN routers in 1 LAN
    router. Looks like this isn't possible... Which is odd since it really is
    just routing with extra rules - it must be doable - I'll keep searching.
    These are the rules just follow them. I need to figure out how I implement
    them

    If(src network == 192.168.10.1/24) {
    GoTo 192.168.1.1 via WAN-NIC
    }
    If((src network == 192.168.11.1/24 OR src network == 192.168.12.1/24)AND
    destination is 0.0.0.0 ) {
    GoTo 192.168.2.1 via WAN-NIC
    }

    That is trival to do in linux using iptables - and there must be a way to do
    it in windows :)

    I guess I could make my nTop virtual machine a router.... Damn that's clever
    thinking with a capital T - I'll just do that if windows isn't able to do it.

    I thought ISA might show its head - yeah I'm not going to pay for that due
    to cost and I really don't need it :)


    Thanks for your input Phillip, I appreciate you taking the time to reply.

    ZaneB
     
    ZaneB, Feb 26, 2008
    #8
  9. ZaneB

    ZaneB Guest

    ok - just did a bit more reading and looks like my issue isn't able to be
    solved by routing I actually need some sort of firewall... Which will take
    care of the filtering. Which is what iptables is - a packet filter.... and
    that is what ISA is - Except I don't need something that heavy, or pricey.
     
    ZaneB, Feb 26, 2008
    #9
  10. Correct. But not "becuase" of Windows,...it is because it is not a "natural"
    function of TCP/IP. It takes an Application operating at higher levels
    (perhaps beyond the OSI Layers) to "overcome" and the "override" the
    shortcommings in TCP/IP. Windows just simply has not been built with that
    functionality and although RRAS is a "routing package" it has not been
    designed nor intended to be that "feature filled".

    From what you say, it sounds like IPTables has those abilties to manipulate
    the TCP/IP functionality.
    No. You need a routing system capable of performing the function of Source
    Routing (not Source NAT - BTW). Firewalls are not "routers", although you
    can create a firewall out of a router by building ACLs. Your firewall
    functionality would occur "upstream" and typically would be the next hop
    "target" based on the decision of the downstream router performing the
    Source Routing. Continued....
    Well IPTables is a routing system (hence the "tables" in the name). It can
    perform firewall functions via ACLs and also perform NAT just like any other
    real router can do. It sounds like it would probably be the best "cheap"
    choice for you if you are familiar with it enough to perform the task, and
    it sounds like you probably are. I would recommend a single IPTables box
    sitting in the "center" of all the segments with enough Nics in the box to
    represent all the segments. Let it make the routing descisions and perform
    the Source Routing decisions which will direct the traffic to the correct
    Firewall. I just don't know if it will serve the purpose of the auditing
    you want to do.

    ISA on the other hand is primarily a "proxy based" Firewall and will only
    function as a LAN Router in a limited way. It also tends to be heavily
    over-restrictive as a LAN Router due to the heavey security focus of the
    product. ISA does possess "packet filters" but the term referes to a very
    specific things in ISA and the Packet Filters are very limited and are
    almost never used,...the other access controls available are a 100 time more
    effective than packet filters. Packet Filters were used more often in
    ISA2000 but in the years I have worked with ISA2004/2006 I have never
    touched them or hardly even went into that part of the MMC at all.

    --
    Phillip Windell
    www.wandtv.com

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Troubleshooting Client Authentication on Access Rules in ISA Server 2004
    http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp

    Microsoft ISA Server Partners: Partner Hardware Solutions
    http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
    -----------------------------------------------------
     
    Phillip Windell, Feb 26, 2008
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.