Multiple gateways

[Ssoele]

At the moment, I have multiple gateways in my network.

One for normal internet use and one that passes everything through a VPN service (used for Netflix).

 

PC's should only use 1 gateway but be able to communicate with ones that are using the other gateway, that all works, if I configure one set of PC's manual.

That means that I can only use DHCP on one part of my network and not on the other.

 

I know that I could probably solve this by separating the 2 networks and using a bridge to link them, but is there any other way?

 

 

I am pretty network savvy, so fire your ideas away.

[rufee]

Do you statically switch gateways when you need to ?

[Ssoele]

Do you statically switch gateways when you need to ?

 

A PC only needs 1 gateway, I won't switch them during operation if it's that what you ask.

 

I have DHCP turned on on my normal gateway, so all clients are by default not routed through the VPN.

 

If needed, my network supports VLANs.

[LAwLz]

I am not quite sure I understand you.

You got one router and then two subinterfaces on it, one for VPN traffic and one for regular Internet traffic? If that's the case then I don't really understand the problem. The gateway for the hosts on your LAN just need a gateway to your router (it doesn't matter which port it is) and they will be able to communicate with anyone else (since the router will route any packet it receives out through the correct port).

 

Can you please draw a map showing your setup and then please do.

I assume you want your router as a DHCP server, correct? I don't really get what you want to achieve on your LAN though. It is possible to have a router act as a DHCP server for two separate networks if that's what you want (or at least it is on Cisco routers) and then each DHCP pool will be tied to specific VLANs (will require router-on-a-stick).

[Ssoele]

I am not quite sure I understand you.

You got one router and then two subinterfaces on it, one for VPN traffic and one for regular Internet traffic? If that's the case then I don't really understand the problem. The gateway for the hosts on your LAN just need a gateway to your router (it doesn't matter which port it is) and they will be able to communicate with anyone else (since the router will route any packet it receives out through the correct port).

 

Can you please draw a map showing your setup and then please do.

I assume you want your router as a DHCP server, correct? I don't really get what you want to achieve on your LAN though. It is possible to have a router act as a DHCP server for two separate networks if that's what you want (or at least it is on Cisco routers) and then each DHCP pool will be tied to specific VLANs (will require router-on-a-stick).

 

They are 2 different routers, I can not just separate the 2 networks, because I have servers on my normal LAN that need to be accessible from the VPN network and vice versa. I could solve this my placing a bridge between those networks, but I want to avoid this, as the bridge would need to be quite high bandwidth.

 

All systems should be on the same network, but part of them should use 1 gateway, the other part the other gateway. I want to be able to have DHCP on entire network, but devices for the normal gateway should get IP's from one pool, the VPN devices from another pool.

[rufee]

I got an exact setup like this myself, 2 separate networks, but both can communicate with each other directly (192.168.0.1, 10.10.10.1) though i run 2 DHCP servers one for each of the networks.

Im guessing this is what you want ? its simple with routerOS not sure how you accomplish this with other stuff though :(

[Ssoele]

I got an exact setup like this myself, 2 separate networks, but both can communicate with each other directly (192.168.0.1, 10.10.10.1) though i run 2 DHCP servers one for each of the networks.

Im guessing this is what you want ? its simple with routerOS not sure how you accomplish this with other stuff though :(

 

I'm guessing you have the 192 within the 10, am I right? The problem with that is that my VPN router sends everything though the VPN that is not directly accessible. Also, the VPN router would need to have some high bandwidth to accommodate all the intern traffic.

 

For reference, my normal router is running PFSense, my VPN router DD-WRT.

[rufee]

No they are completely separate.

The way i see it you could split the 2 networks with pfSense set up a VPN tunnel and use NAT to route the VPN traffic through the tunnel and the same with normal traffic (Load balancing sort of) can also probably be done per IP basis, though if the VPN tunnel and the normal connection is on the same port that could be difficult. Or the bridge.

[Ssoele]

No they are completely separate.

The way i see it you could split the 2 networks with pfSense set up a VPN tunnel and use NAT to route the VPN traffic through the tunnel and the same with normal traffic (Load balancing sort of) can also probably be done per IP basis, though if the VPN tunnel and the normal connection is on the same port that could be difficult. Or the bridge.

 

If I'm not mistaken, I would have the same problem with this setup, mainly that I won't have enough bandwidth between those 2 networks.

[LAwLz]

They are 2 different routers, I can not just separate the 2 networks, because I have servers on my normal LAN that need to be accessible from the VPN network and vice versa. I could solve this my placing a bridge between those networks, but I want to avoid this, as the bridge would need to be quite high bandwidth.

 

All systems should be on the same network, but part of them should use 1 gateway, the other part the other gateway. I want to be able to have DHCP on entire network, but devices for the normal gateway should get IP's from one pool, the VPN devices from another pool.

OK so let me get this straight. You got two routers and both of them are edge routers with their own connection to the Internet, correct? Something like this.

 

You want them on the same network? I am sorry, but I don't understand what you want or how the network looks.

By the way, each VLAN should be on their own network, so if you only want one network then you can't use VLANs.

[Ssoele]

OK so let me get this straight. You got two routers and both of them are edge routers with their own connection to the Internet, correct? Something like this.

Network.PNG

 

You want them on the same network? I am sorry, but I don't understand what you want or how the network looks.

By the way, each VLAN should be on their own network, so if you only want one network then you can't use VLANs.

 

(don't mind the SETTOP network, that one doesn't require high bandwidth)

 

At the moment, they are on the same network, they just use different gateways.

I need a way to separate the networks so I can enable DHCP on both and still can communicate between them.

Now I have 1 router with DHCP enabled and the other one with DHCP disabled.

[LAwLz]

(don't mind the SETTOP network, that one doesn't require high bandwidth)

At the moment, they are on the same network, they just use different gateways.

I need a way to separate the networks so I can enable DHCP on both and still can communicate between them.

Now I have 1 router with DHCP enabled and the other one with DHCP disabled.

That map can't be right. It shows that the only thing you got connected to your ISP is a switch, and that simply does not work. It also shows a lot of routers and modems which are only connected to a single switch, which is completely pointless. To be honest, this network pretty badly designed. STP has for example shut down one of the links between your switches and if "root switch" is the root bridge then traffic is talking a sub-optimal way. You got several switches connected to just a few devices, and you could very easily just get switches with wireless connectivity and replace some of the APs. Also, for the love of God don't tell me "WINS-10" is a WINS server (not to be confused with a Windows Server).

Anyway, i think I understand your problem now. All devices are connected to both routers (via a switch) and you want some devices on the network to use the normal gateway as their default gateway, and you want some devices to use the VPN gateway as their default gateway. Correct? I am sorry, but that's not possible. The DHCP server has no way of knowing which device should get which default gateway if all devices are on the same network. You can make a DHCP server give out addresses from a specific pool depending on where they are plugged in (with the help of VLANs), but that requires them to be on different VLANs and thus different networks.

Why do you have a site-to-site VPN just for NetFlix anyway? That seems like a bit of a waste, compared to simply setting the VPN up on the hosts instead.

[Ssoele]

That map can't be right. It shows that the only thing you got connected to your ISP is a switch, and that simply does not work. It also shows a lot of routers and modems which are only connected to a single switch, which is completely pointless. To be honest, this network pretty badly designed. STP has for example shut down one of the links between your switches and if "root switch" is the root bridge then traffic is talking a sub-optimal way. You got several switches connected to just a few devices, and you could very easily just get switches with wireless connectivity and replace some of the APs. Also, for the love of God don't tell me "WINS-10" is a WINS server (not to be confused with a Windows Server).

Anyway, i think I understand your problem now. All devices are connected to both routers (via a switch) and you want some devices on the network to use the normal gateway as their default gateway, and you want some devices to use the VPN gateway as their default gateway. Correct? I am sorry, but that's not possible. The DHCP server has no way of knowing which device should get which default gateway if all devices are on the same network. You can make a DHCP server give out addresses from a specific pool depending on where they are plugged in (with the help of VLANs), but that requires them to be on different VLANs and thus different networks.

Why do you have a site-to-site VPN just for NetFlix anyway? That seems like a bit of a waste, compared to simply setting the VPN up on the hosts instead.

 

First off, WINS-10 is a Windows Server, not a WINS server, that is just the naming that I use in my network.

 

Second, all my switches are L2 managed switches, so I can easily trunk them together and link my VLANs. All green wires are directly connected to my ISP (I can have up to 4 IP addresses at the same time).

 

Third, I know that some of the connections will be disabled with STP, I'm fine with that, they're just for redundancy.

 

Fourth, It's just so much easier to have a separate router for my VPN connection, also, I can only have 1 active VPN connection, so this solves that. I'm also using it for different things then just Netflix.

 

 

Now that those things are clear, back to the real problem.

 

What I was thinking of is more like a system that lets me decide on a MAC address level what gateway my DHCP server give my clients and what pool they get their IPs from.

[LAwLz]

Second, all my switches are L2 managed switches, so I can easily trunk them together and link my VLANs. All green wires are directly connected to my ISP (I can have up to 4 IP addresses at the same time).

Yes but you said you wanted them on the same network. With VLANs you should have each VLAN on a dedicated and separate network, so VLANs won't be of any use in this scenario.

I didn't know green cables where connected to your ISP, since you got a symbol for "Internet" and the only thing connected to that is a switch. Do you have a dedicated VLAN so that the routers are "directly" connected to your ISP (not really ontopic, I am just curious)?

 

 

What I was thinking of is more like a system that lets me decide on a MAC address level what gateway my DHCP server give my clients and what pool they get their IPs from.

Yes that is possible. You can make it so that MAC 01-23-45-67-89-ab gets address 192.168.1.2 netmask 255.255.255.0 gateway 192.168.1.1. Cisco calls it "binding", because a MAC address gets bond to a static IP. Every time the computer with the MAC address 01-23-45-67-89-ab makes a DHCP request, it gets the same IP. It's basically static IPs, but the IP is given by the DHCP server.

You can read about how to configure it on a Cisco router here: Cisco IOS DHCP configuration guide.

You will need 2 pools, but they can give out addresses for the same network. For example one pool might be 192.168.1.10 to 192.168.1.200 and the other pool (for "static" IPs) can be 192.168.1.201 to 192.168.1.240.

[Ssoele]

Yes but you said you wanted them on the same network. With VLANs you should have each VLAN on a dedicated and separate network, so VLANs won't be of any use in this scenario.

I didn't know green cables where connected to your ISP, since you got a symbol for "Internet" and the only thing connected to that is a switch. Do you have a dedicated VLAN so that the routers are "directly" connected to your ISP (not really ontopic, I am just curious)?

 

Yes, I have a dedicated VLAN for my WAN connection, makes it easier to move stuff around.

 

 

Yes that is possible. You can make it so that MAC 01-23-45-67-89-ab gets address 192.168.1.2 netmask 255.255.255.0 gateway 192.168.1.1. Cisco calls it "binding", because a MAC address gets bond to a static IP. Every time the computer with the MAC address 01-23-45-67-89-ab makes a DHCP request, it gets the same IP. It's basically static IPs, but the IP is given by the DHCP server.

You can read about how to configure it on a Cisco router here: Cisco IOS DHCP configuration guide.

You will need 2 pools, but they can give out addresses for the same network. For example one pool might be 192.168.1.10 to 192.168.1.200 and the other pool (for "static" IPs) can be 192.168.1.201 to 192.168.1.240.

 

I know it is possible to set static IPs to a specific MAC address, but is that also possible to set an other gateway? I haven't fount that in PFSense.

 

Also, the pools that I will be using are 172.17.0.0/16 and 172.21.0.0/16. I want that for the MAC addresses that I choose, it dynamically uses the second pool (with the other gateway).

[LAwLz]

I know it is possible to set static IPs to a specific MAC address, but is that also possible to set an other gateway? I haven't fount that in PFSense.

Yes, because the default gateway is included with the DHCPACK, just like the lease IP, the subnet mask and the other DHCP info.

All you need to do is created 2 separate pools (with two different gateways) and then link MAC addresses to the correct pools. Make sure no pool overlaps with another. I don't know how to do this with PFSense but you can do it with Cisco IOS, and it's a pretty basic feature so PFSense should be able to do it.

 

Anyway, I thought you wanted them on the same network. 172.17.0.0/16 and 172.21.0.0/16 are two different networks, just a heads up.

[Ssoele]

Anyway, I thought you wanted them on the same network. 172.17.0.0/16 and 172.21.0.0/16 are two different networks, just a heads up.

 

Those are just the pools, the subnetmask will be /12.

[LAwLz]

Those are just the pools, the subnetmask will be /12.

Oh OK. You don't write DHCP scopes like that so I got confused. Anyway yeah then it will be the same network. Just bind the different MAC addresses to the different scopes and it should work just fine.