Community discussions

MUM Europe 2020
 
settecplus
just joined
Topic Author
Posts: 13
Joined: Tue Oct 30, 2012 12:03 pm

Help choosing the right routing

Tue Nov 06, 2012 1:06 pm

Hi, we've recently purchased some Routerboards, and I'm here seeking for some advice...

Image

I have a complex setup which involves three networks, each with its own public internet IP (see attached diagram).
I need to have exclusive (bidirectional) access from pc1 (network A) to servers in network B and C. Servers B1 and C2 shares the same local intranet IP address, I can't modify it, so I thought of using NAT in router B and C, and translate the class C addresses to unique class A addresses (10.0.1.a, 10.0.2.b and so on). I'm using some 450g routers for this purpose, but... I really need some help to get started. And some suggestion on the best policy to adopt.
Please don't shoot at the face :)

Regards
Last edited by settecplus on Thu Nov 08, 2012 2:55 pm, edited 1 time in total.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Help choosing the right routing

Tue Nov 06, 2012 1:33 pm

Post the diagram and I will look into it :)
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
settecplus
just joined
Topic Author
Posts: 13
Joined: Tue Oct 30, 2012 12:03 pm

Re: Help choosing the right routing

Tue Nov 06, 2012 1:39 pm

Strange it should be linked in the first post...
Anyway, here it is.

And thank you!
You do not have the required permissions to view the files attached to this post.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Help choosing the right routing

Tue Nov 06, 2012 2:00 pm

To clarify:
Currently, RouterA, RouterB and RouterC all have 192.168.1.1/24 subnet behind them, correct? Router B and C also have 192.168.3.1/24. Each router also has Internet connectivity with a public static IP right?

If that is the case, the solution to your problem is not that hard.

From RouterA create GRE tunnels to routers B and C. Use 10.10.b.x/31 and 10.10.c.x/31 for GRE . Then setup up routes on RouterA for "mapped" networks. For example, we will map "10.80.10.0/30" to servers behind router B and "10.80.20.0/30" to server behind router C.

Setup masquerade for the GRE interfaces on RouterA. Then on routers B and C add dst NAT rules for the mapped networks. Meaning:
Router B will dst NAT 10.80.10.1 -> 192.168.1.120 and 10.80.10.2 -> 192.168.3.20
Router C will dst NAT 10.80.20.1 -> 192.168.1.120 and 10.80.20.2 -> 192.168.3.20

After all this, you will be able to access 10.80.10.1 and .2 and 10.80.20.1 and .2 from your PC1 behind RouterA.

You might also want to secure the GRE tunnels with IPsec.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
settecplus
just joined
Topic Author
Posts: 13
Joined: Tue Oct 30, 2012 12:03 pm

Re: Help choosing the right routing

Tue Nov 06, 2012 3:10 pm

Hi Tomaskir.
You have correctly interpreted my cheap diagram. And your solution seems reasonable. Would it be best with a VPN tunnel instead of a GRE tunnel? Security is an issue in this case.
And what if the number of remote networks grows up? What if I add Router D, E, F? What is the limit of a 450g router?
Router B and C at the moment have 192.168.1.1/24 and 192.168.3.1/24 subnets, but more may come up, for instance 192.168.x.1/24 with x=(1~6).

Thank you once again for your (invaluable) help.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Help choosing the right routing

Tue Nov 06, 2012 3:27 pm

If you encrypt the GRE tunnel using IPsec transport mode, it will be a proper VPN tunnel. You can not do this using IPsec tunnel mode with policies, since you need to use NAT. Limit of the 450g for IPsec is about 20mbit of traffic (10mbit full duplex, using aes128), the number of IPsec peers pretty much doesn't matter.

If you plan on growing the network, its a bad bad implementation idea to keep all of the separate networks using the same subnets. Use a different subnet in each location, then setup the GRE tunnel with OSPF and it will all work without any NAT. Currently, adding a network to this setup would mean creating another GRE tunnel, adding masq, and adding proper dst nat rules for the routers on remote ends.

If you set it up properly with separate subnets in each location, adding a network will just be adding a GRE tunnel and turning on OSPF on it. Not just that, but with the GRE/OSPF (secured with IPsec transport mode) you will be able to reach all networks from all networks (firewall for security of course) Also, you can then GRE from one router to more routers, and OSPF will do the job of providing redundancy.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
settecplus
just joined
Topic Author
Posts: 13
Joined: Tue Oct 30, 2012 12:03 pm

Re: Help choosing the right routing

Tue Nov 06, 2012 4:00 pm

If you set it up properly with separate subnets in each location, adding a network will just be adding a GRE tunnel and turning on OSPF on it. Not just that, but with the GRE/OSPF (secured with IPsec transport mode) you will be able to reach all networks from all networks (firewall for security of course) Also, you can then GRE from one router to more routers, and OSPF will do the job of providing redundancy.
That's exactly what I don't want happening. I just need control from one source, the A network. The other networks must be blind between themselves. Regarding the config issue, it would just mean pre-configuring the router and send it to the new network for them to plug it, wouldn't it? On the other side, reconfiguring the remote subnets to make them unique would mean a lot of work on a remote location, which would not be practical.
The other useful addon to the setup would be having the opportunity to connect to network A from internet, and then control networks B anc C and so on. Or to have the ability to connect to network B and C from another source (a laptop with a 3G connection). And I don't know ho to achieve it.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Help choosing the right routing

Tue Nov 06, 2012 4:14 pm

You can easily block the communication between the networks in the firewall. Or do that with OSPF, don't distribute routes to other networks, just distribute routes from other networks to you, and a route back to you only to the remote networks.

I agree that renumbering 2 remote networks now may seem like a lot of work. But doing it now is much easier then when its 50 networks. Having GRE tunnels with OSPF would simply provide so much more flexibility for the future. Also, it would be a standard solution, compared to this NATing workaround. What you want to implement in your network is entirely up to you of course.

Regarding connecting to A from internet and then connecting to B and C: Just set up a RDP server inside of A, and remote desktop to that. Then you will work just like if you were sitting behind a PC in network A from anywhere. To connect to B and C from anywhere, I would not advise. Remote desktoping to A and then managing other networks from there is much better and safer. Just make sure to properly secure the RDP host.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
settecplus
just joined
Topic Author
Posts: 13
Joined: Tue Oct 30, 2012 12:03 pm

Re: Help choosing the right routing

Tue Nov 06, 2012 4:30 pm

Mmm, I see your point, and I pretty much agree with you.
A this point, though, I don't really know what to do. The network is already pretty big, even if I just talked about B an C, we really are more towards M or N. Each network already has at least two subnetworks. From this point of view, it is an easier solution taking a bunch of routers, configuring them in-house and then sending them to remote location, without having to go there and reconfigure everything from scratch (I'm not just talking of changing the eth addresses, of course, but the communications between devices as well). At least this is what it seems to me.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Help choosing the right routing

Tue Nov 06, 2012 4:41 pm

In my personal experience, its better to do the right solution right away rather then do a quick fix and then run into problems later on. If you are actively planning to grow the network, I can only recommend doing the right thing now. Even if you already have 15 sites, its easier now then when there is 50 sites and you run into a problem with all the NATing, or you need to implement something new etc.

In a perfect world, all the networks should use DNS inside, so all you would need to do is renumber the hosts, (if you are using static dhcp leases that's easy) and change the records on the DNS server. Of course, I don't know you networks :D

Another thing to consider is IPv6. I don't know about your country, but we have some problems getting public IPs already now. Doing the standardized GRE/OSPF deployment would put you a long way towards being ready with your infrastructure when IPv6 hits. Just assign IPv6 addresses, config OSPFv3 and everything will work the same.

Either way, both of these solutions will work for your problem, the debate has turned into scalability and future growth :)
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
settecplus
just joined
Topic Author
Posts: 13
Joined: Tue Oct 30, 2012 12:03 pm

Re: Help choosing the right routing

Tue Nov 06, 2012 6:25 pm

Ok,
let's keep it simple then.
Let's say I can modify the subnets at my wish, the only limitation is I need to separate the various networks, so i think it will be 10.10.A.x/24 , 10.10.B.x/24 and so on. And please forgive me in advance for sounding so lame, but can you suggest how would you interpret the original diagram? I'm asking because, I admit it, at this point I'm a bit confused :)




[I can't send pm so I cannot contact you directly]
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Help choosing the right routing

Wed Nov 07, 2012 1:46 am

Here is how I would solve it.

All you would need to do is configure OSPF, and all routing would be taken care of. No NATing at all. Also, since if the networks wanted to communicate with each other they would have to go through the mng network router, so all the firewalling would be done in one place (mng network router)

This design would scale up to 253 networks, and each network could have up to 255 subnets behind it. Implementing IPv6 in this topology would be as easy as assigning addresses to routers and hosts and turning OSPFv3 on.

Secure the GRE tunnels with IPSec transport mode for it to be proper secure IPSec VPN.
You do not have the required permissions to view the files attached to this post.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
settecplus
just joined
Topic Author
Posts: 13
Joined: Tue Oct 30, 2012 12:03 pm

Re: Help choosing the right routing

Wed Nov 07, 2012 4:14 pm

Here is how I would solve it.
Well, you got me impressed. Really :) And most of all you have convinced me about the feasibility of your solution.

Now, I just need to find a way to set it up on out routerboards! (any hints welcomed of course:P )

Thank you for your invaluable help.
 
deejayq
Member Candidate
Member Candidate
Posts: 195
Joined: Wed Feb 23, 2011 8:33 am

Re: Help choosing the right routing

Wed Nov 07, 2012 5:11 pm

well actually it would be feasible if the management network router would have two internet connections, on one to connect to the internet and on the other to connect the gre tunnels on.
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Help choosing the right routing

Wed Nov 07, 2012 6:01 pm

well actually it would be feasible if the management network router would have two internet connections, on one to connect to the internet and on the other to connect the gre tunnels on.
There would be no advantage as far as I can see. It would still not provide redundancy if you only do GREs on one connection, the speed can be increased by making the primary connection faster, etc.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!
 
settecplus
just joined
Topic Author
Posts: 13
Joined: Tue Oct 30, 2012 12:03 pm

Re: Help choosing the right routing

Thu Nov 08, 2012 12:14 pm

@tomaskir: is there any way I can contact you directly ?
I'm not allowed to send pm here...
 
User avatar
tomaskir
Trainer
Trainer
Posts: 1122
Joined: Sat Sep 24, 2011 2:32 pm
Location: Slovakia

Re: Help choosing the right routing

Thu Nov 08, 2012 1:40 pm

Email me at tomas@atris.sk and I will give you a Skype contact, I cant send PMs either.
Unimus - configuration management, automation and backup solution
Mass Config Push, network-wide RouterOS upgrades, and more!

Who is online

Users browsing this forum: anav, Kaos1337 and 36 guests