Solved 3 Internet Connections, 2 ISP's, 2 Routers

July 10, 2011 at 21:09:02
Specs: Windows 7
3 Internet Connections:
2 comcast cable business lines in round robin dual wan set up & Lynksis RV082.
Lynksis dishes out DHCP to about 50 users, 1 IPsec tunnel to cloud provider.

1 Verizon Business DSL line, just bought a cisco RVS 4000 & configured Verizon modem as bridge.

1 Gigabig Switch

3 AP's.

So- here's the scoop... Dual Comcast WAN & Lynksis RV082 is the entire network. we have about 10 wired users, and the rest are wireless. Everyone uses RDP to connect to our cloud provider over a VPN line that our RV082 uses.

Problem is, we have about 10 full time non-office employees, and could potentially have 20 remote users needing to use our network. Our cloud provider wants to charge us $15/user per month... the VPN client for the Lynksis is really finicky, and it seems everytime I turn around I need to update the firmware to keep our VPN users connected, but with our setup, there's 40 users who are out of access if I have to bring down our Lynksis for any reason...

So, I found out we have a Verizon business DSL line not being used for anything... I have ordered a static IP, and purchased a Cisco RVS 4000 with VPN capabilities to do some testing. Now, how do I get the users VPN'ed into Cisco RVS 4000 to have valid IP's in the local network that's created by our Lynksis? I'm thinking my task is to figure out how to get my Cisco RVS 4000 to accept DHCP from our Lynksis...

And physically, what media (cabling, etc) do I need to connect?

Please advise.


See More: 3 Internet Connections, 2 ISPs, 2 Routers

Report •

✔ Best Answer
July 18, 2011 at 07:25:51
Anyhow, to answer ur larger question, hosting provider wants $15 per each vpn per month...

I would discuss the situation with them and see if they won't give you a better price per VPN connection. While I'm not 100% sure (I don't know what they're using, or how they have it setup) the other clients should all connect to the same VPN and shouldn't require any more equipment on the providers end of things. At the most, they might have to adjust the configuration on their VPN device.

I would ask them about a blanket fee to cover all contingencies (ie: 10 remote users connecting directly all the time and the possibility of XX number of more (temporary) remote connections in the case of a failure)

If they won't come down to a reasonable amount, you should still be able to accomplish this through use of the second router/internet connection.

So, if I connect the LAN port of Cisco's router, do I go into the gigabyte port on one of my switches?

Yes. Essentially, the connection from the LAN port on the Cisco to the switch is another client connection. I would recommend using a crossover cable though since you are in fact going from switch to switch. Most, if not all, modern switches are auto MDIX capable so you could use a regular patch cable but I prefer to color code my cabling and for me, red is always crossover cables and used for interswitch connections. This just makes troubleshooting a whole lot easier too.

What's dhcp relay?

In a nutshell, DHCP can't cross network boundaries and you would use a relay agent on a separate segment to provide DHCP to clients on that segment. However, I see no need for a DHCP relay agent in your situation. More in-depth detail on this topic is available on the internet.

What LAN IP do I make the Cisco?

As stated in my last post:

Lynksis LAN= 10.10.150.0
Lynksis Router local IP= 10.10.150.1
Lynksis DHCP=true

Connect the Cisco to the switch, as per my guide, give it the following:
LAN IP = 10.10.150.2
DHCP Enabled = No


Curt, one more thing- I don't want any traffic to go in/out the DSL line (cisco router) except for the remote users & their VPN's... The DSL line is a great deal slower than our dual cable lines...

Using the aforementioned IP addressing scheme and with DHCP enabled only on the Linksys router, clients would get the default gateway IP of the Linksys router (10.10.150.1) and as such, all their traffic would flow through the Linksys.

If you wanted change that, you'd have to actually give them the gateway IP of the Cisco router (10.10.150.2) in order to make traffic flow through it.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***



#1
July 11, 2011 at 07:33:15
If I'm reading this right, you wish to add a second internet connection to your network.

You want users to be able to connect to a remote site through a VPN on either one or the other and all to be in the same subnet.

If I have that straight you would give the Cisco 4000 a LAN IP in the same subnet as the rest of your network.

Example:

Linksys Router
LAN IP = 192.168.0.1
SM = 255.255.255.0
DHCP Enabled = Yes
DHCP Scope 192.168.0.100 to 192.168.0.199

Cisco 4000
LAN IP = 192.168.0.2
SM: 255.255.255.0
DHCP Enabled = No

For clients you wish to access the internet through the Cisco 4000, you would have to statically assign them TCP/IP Settings and use the LAN IP of the Cisco 4000 as their Default Gateway address (192.168.0.2)

For clients you wish to access through the Linksys, leave them as DHCP Clients.

Which router is used by clients is defined by the Default Gatway address.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#2
July 11, 2011 at 19:20:10
Thank you for your reply, i truly appreciate it! That does help, but I think I need to get a little more specific.

The only thing our company is using at the moment is our business comcast cable lines (both going into lynksis router). All of our users connect to a Cloud provider via IPsec tunnel from our Lynksis Router to our Cloud Provider. The LAN side of our router supports about 50 users who are on that physical network. For simplicity sake, we'll use our actual subnet address... 10.10.150.0

We have around 5-10 people who I want to VPN into our local 10.10.150.0 THEN once on our local network, they too, can use the cloud provider's environment.

Instead of using the Lynksis to handle these VPN's, I want to use a dedicated device on a DSL line that, until now, wasn't being used for anything. I would like all of our current network to remain intact... I do not wish for any computers on our physical network to use our DSL line. I would like this DSL line to handle nothing but our VPN's for our remote users.


%%%%%%%%%%%%%%
Lynksis LAN= 10.10.150.0
Lynksis Router local IP= 10.10.150.1
Lynksis DHCP=true

Lets say I have 10 remote users connecting to our netowrk via VPN through the DSL line and Cisco 4000...


Questions:

1. Could I make my Cisco 4000 enable DHCP, but only from a pool of addresses (ex: 10.10.150.240-250)

2. Would I make my Lynksis DHCP from a pool of addresses from 10.10.150.2-238?

3. Should I consider subnetting?

4. FInally, what physical connections should I consider to connect the Cisco to our local network behind the firewall?


***To any who may read, and care to respond- I'm up for whatever suggestions anyone can provide given my goal of using the verizon DSL line as the connection for our primary VPN device to our local 10.10.150.0 network***


Thanks again Curt, and thanks for everyone else who may help too!


Report •

#3
July 13, 2011 at 07:52:40
I'm having a hard time picturing your setup in my head...........and I'm very visual so bear with me.

We have around 5-10 people who I want to VPN into our local 10.10.150.0 THEN once on our local network, they too, can use the cloud provider's environment.

Instead of using the Lynksis to handle these VPN's, I want to use a dedicated device on a DSL line that, until now, wasn't being used for anything.

Why can't they just connect directly to your "cloud" provider (I so hate buzzwords)?

Are all your services hosted by the 3'd party or do you have any in-house services your users access? If there's nothing your remote users need to access within the office, it would make more sense (to me anyhow) to have the remote users VPN directly to your external provider.

Your setup is a little strange and the closest I've ever come to this situation was a cilent who had their AD Domain DC's hosted/maintained by a 3'd party hosting company. Their users used thin clients and connected to the remote host via VPN so the clients users could then logon to the domain and access all domain resources. They had no local resources in their location.

If your situation is similar then it would make sense to take the extra step out of the equation and have remote users go directly to the source.

Having said that........

I'm not familiar with your equipment, but it seems to me it should be simple enough to have the remote users connect to the Cisco device and thereby access your LAN. Once connected that way, they should then be able to access the remote hosts site through the VPN just like users in the office do since for all intents and purposes, they would appear to be "local" as well.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

Related Solutions

#4
July 13, 2011 at 08:08:59
I forgot to address your questions directly, I'll try here:

Questions:

1. Could I make my Cisco 4000 enable DHCP, but only from a pool of addresses (ex: 10.10.150.240-250)

Certainly. Recently I had to setup a training lab with wireless. To avoid having too many users on a single AP I used two SOHO Routers with wireless capabilities. I split a pool of IP's between them. Something like the following:

Scope A = 192.168.1.100 to 192.168.1.150
Scope B = 192.168.1.151 to 192.168.1.200

The important thing is, if you're going to have two DHCP servers in the same segment of the same network, you want to ensure their scopes do not overlap so as to avoid any chance of duplicate IP's.

2. Would I make my Lynksis DHCP from a pool of addresses from 10.10.150.2-238?

As per above. If the two DHCP servers are on the same network, you do not want the pools overlapping. However, it shouldn't be necessary to have both router's providing DHCP if they ARE in the same network. A single DHCP server should be able to provide TCP/IP settings to any client requesting such. Click on my name above in one of my responses and read my "how-to" guide titled, "Add a Second Rtouer to your LAN". Pay attention to the scenario where you have only one subnet and connect the two routers "LAN port to LAN port" You'll notice I have DHCP disabled on the downstream router because cliients connected to it get their DHCP from the upstream router's DHCP server. The same theory applies in your case.............if the two routers are on the same network.

3. Should I consider subnetting?

I'd say no. Not unless you're out of IP addresses and absolutely have to.

4. FInally, what physical connections should I consider to connect the Cisco to our local network behind the firewall?

Since you want this all to be a single network, I'd say connect to the switch. If the rest of your network is setup as follows:

External Connections (x2) >> Dual WAN Router >> Switch >> AP's & Clients

then connecting the Cisco unit to the swtich incorporates it, and anybody connected to it, into the network.

You have the following:

Lynksis LAN= 10.10.150.0
Lynksis Router local IP= 10.10.150.1
Lynksis DHCP=true

Connect the Cisco to the switch, as per my guide, give it the following:
LAN IP = 10.10.150.2
DHCP Enabled = No

Clients connecting to the Cisco will still get DHCP settings from the Linksys and have full LAN access, including the VPN.

However, your setup is a little convoluted and I can't guarantee clients connecting remotely to the Cisco would get VPN access to the external site. This would of course require some testing and tweaking until it did work.

I still say the simplest solution is, remote clients VPN directly too external site bypassing your LAN altogether. This saves you some setup/testing and management headaches.......lol

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

#5
July 13, 2011 at 08:15:44
Seems to me all that is going on here is the need for 5-10 remote users to get on the lan.

Couple of ways of doing this but they all have a vpn router appliance in common.

With a vpn capable router [you load the vpn client software on the remote pcs and when then logon to the router they get a ip in the local lan subnet]

1. they logon to a terminal server and do their ipsec connection to the cloud from there.
2. they logon to a workstation rdp session and do their ipsec connection to the cloud from there
3. they are able to run their ipsec connection from their vpn-ed into the local lan connection [this may be slower with a ipsec tunnel inside a vpn tunnel]

I would replace the Linksys [linksys is owned by Cisco but is not the quality product of Cisco] with a Sonicwall. Great vpn client software and it works every time.

Answers are only as good as the information you provide.
How to properly post a question:
Sorry no tech support via PM's


Report •

#6
July 14, 2011 at 16:39:40
Curt, the situation of your unique client is exactly our situation... No local resources, most hardware is thinclient... We connect via RDP to provider's TS via ipsec. Dc, ad, fileserver, exchange sv, ts, and a sql sv. All "managed" offsite. Well, maybe "hosted" is a better word... Anyhow, to answer ur larger question, hosting provider wants $15 per each vpn per month... We deal w financial institutes, so we need to b secure, and if we have a snowstorm, we need to provide means for a skeleton crew of 20-30 workers to securely work from home... That would cost $2-300 a month through our provider... That being said, its worth me taking the time to figure it out.


So, if I connect the LAN port of Cisco's router, do I go into the gigabyte port on one of my switches?

What's dhcp relay?

What LAN IP do I make the Cisco?

I'll b back w a few more questions shortly...


Report •

#7
July 14, 2011 at 17:01:15
wanderer, that's a good point- our lynksis router is a bit finickey with VPN's, and it handles our round robin dual wan comcast business lines ok. Since it's our lifeline to our managed services, I'd rather not have the need to constantly tinker with it to get our remote users VPN's into our local network. Aside from that, we have a verizon DSL line that's not being used at this point that we pay for every month for absolutely nothing... Lastly, I'd like to have the redundancy to create a backup VPN through another provider if our comcast line ever goes out...

Hope this answers your questions...


Report •

#8
July 14, 2011 at 17:03:43
Curt, one more thing- I don't want any traffic to go in/out the DSL line (cisco router) except for the remote users & their VPN's... The DSL line is a great deal slower than our dual cable lines...


Report •

#9
July 18, 2011 at 07:25:51
✔ Best Answer
Anyhow, to answer ur larger question, hosting provider wants $15 per each vpn per month...

I would discuss the situation with them and see if they won't give you a better price per VPN connection. While I'm not 100% sure (I don't know what they're using, or how they have it setup) the other clients should all connect to the same VPN and shouldn't require any more equipment on the providers end of things. At the most, they might have to adjust the configuration on their VPN device.

I would ask them about a blanket fee to cover all contingencies (ie: 10 remote users connecting directly all the time and the possibility of XX number of more (temporary) remote connections in the case of a failure)

If they won't come down to a reasonable amount, you should still be able to accomplish this through use of the second router/internet connection.

So, if I connect the LAN port of Cisco's router, do I go into the gigabyte port on one of my switches?

Yes. Essentially, the connection from the LAN port on the Cisco to the switch is another client connection. I would recommend using a crossover cable though since you are in fact going from switch to switch. Most, if not all, modern switches are auto MDIX capable so you could use a regular patch cable but I prefer to color code my cabling and for me, red is always crossover cables and used for interswitch connections. This just makes troubleshooting a whole lot easier too.

What's dhcp relay?

In a nutshell, DHCP can't cross network boundaries and you would use a relay agent on a separate segment to provide DHCP to clients on that segment. However, I see no need for a DHCP relay agent in your situation. More in-depth detail on this topic is available on the internet.

What LAN IP do I make the Cisco?

As stated in my last post:

Lynksis LAN= 10.10.150.0
Lynksis Router local IP= 10.10.150.1
Lynksis DHCP=true

Connect the Cisco to the switch, as per my guide, give it the following:
LAN IP = 10.10.150.2
DHCP Enabled = No


Curt, one more thing- I don't want any traffic to go in/out the DSL line (cisco router) except for the remote users & their VPN's... The DSL line is a great deal slower than our dual cable lines...

Using the aforementioned IP addressing scheme and with DHCP enabled only on the Linksys router, clients would get the default gateway IP of the Linksys router (10.10.150.1) and as such, all their traffic would flow through the Linksys.

If you wanted change that, you'd have to actually give them the gateway IP of the Cisco router (10.10.150.2) in order to make traffic flow through it.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Report •

Ask Question