Weird networking configuration question

[ddrueding]

We will be using another companies WAN infrastructure to reach a branch office. I have an Ethernet port to their network at both of my offices.

Main office <-> Their network <-> Our Branch Office
192.168.168.2 <-> whatever <-> 192.168.168.3

I can ping directly across the link, so there isn't anything funky going on.

What I want is the ability to bridge our offices networks while keeping their junk out. In theory, I could just plug it in and everything would be browse-able, but some level of separation would be preferred.

Should I set up a pair of VPN boxes? Should I get them to stick me on a VLAN? I know nothing of VLANs, would that even work?

 

[Fushigi]

Site-to-site VPN would be best. That way you're not open to their sniffing your traffic, which they could do even if you were using VLANs. Also use a firewall at each end & have it set to only allow the VPN traffic through.

(LAN) - (VPN) - (Firewall) -- (Partner's network) -- (Firewall) -- (VPN) - (LAN)

 

[ddrueding]

That was my first guess, Fushigi. Any recommendations on an appliance that could manage that? It seems a really simple task, and I'd hate to stick a computer in when I don't have to (one of the locations is a solar-powered tower, less power draw is better).

 

[blakerwry]

In the cisco world I would recommend a L2TP v3 tunnel (VPN) between both offices' routers - will work over any IP network (including the internet).

Since you mentioned low power requirements Cisco is probably out though. I thought you could do similar with m0n0wall/pfSense, shorewall, or just linux.

 

[ddrueding]

If it weren't for the power requirements, Smoothwall would be my #1 choice. I have a VIA EPIA system sitting here as a last resort. If I could just hook up two small boxes, that would be great.

I know that DD-WRT supports VPN stuff, but it is far from simple.

 

[Mercutio]

If you can do dd-wrt, it has a built-in PPTP client and server. That's not the most secure thing in the world, but it's serviceable.

The fact that dd-wrt does not directly support SSH is one of the things I don't particularly like about it.

 

[ddrueding]

If you can do dd-wrt, it has a built-in PPTP client and server. That's not the most secure thing in the world, but it's serviceable.

The fact that dd-wrt does not directly support SSH is one of the things I don't particularly like about it.

I found this, humorously titled "VPN (the easy way)". Is that what you mean? Or is there an actually easy way?

 

[Mercutio]

No. That looks more like an L2TP implementation. Certainly more secure than PPTP, but I was just talking about PPTP, which requires pretty close to zero setup since it doesn't require a Certificate Authority and has both client and server already built into dd-wrt.

 

[ddrueding]

No. That looks more like an L2TP implementation. Certainly more secure than PPTP, but I was just talking about PPTP, which requires pretty close to zero setup since it doesn't require a Certificate Authority and has both client and server already built into dd-wrt.

Fantastic. Do you happen to have a link of some kind to it? I don't recall seeing something that simple in it's menus, and don't have a DD-WRT router handy.

 

[ddrueding]

Found it. Thanks for the tip. I'll pick some WRT58GLs up today and start poking.

 

[Stereodude]

Keep in mind SMB and WAN connections don't get along very well together, so windows file sharing will be horrifically slow (close to completely unusable) for the remote people.

 

[ddrueding]

The WAN is actually rated at "at least" 5.5MB/s. I'm hoping that will be enough.

 

[Stereodude]

The WAN is actually rated at "at least" 5.5MB/s. I'm hoping that will be enough.

It's the latency that's the killer, not the speed. You'll find out soon enough. :nono:

 

[ddrueding]

It's the latency that's the killer, not the speed. You'll find out soon enough. :nono:

It isn't a big deal either way. This is replacing a T1-based VPN, primarily for connections to a Citrix server. Those play nice on a WAN.

 

[Stereodude]

I have to suffer at work on a regular basis trying to copy files over Windows network shares extended through a VPN over a WAN link. It can take over 1 hour to move 150MB of data with a 7Mbit/sec download speed. :cursin:

 

[ddrueding]

Nah, anytime I need files shared over a WAN link, I set up DFS replication. Works pretty well.

 

[ddrueding]

I have everything setup and in production now, I just have one issue. The 192.168.2.x network connects over this VPN to the 192.168.0.x network. The DD-WRT device on the second network has IP address 192.168.0.46. Adding a static route to the necessary servers allows them to communicate well with the 192.168.2.x network and the outside world. The internet can be found beyond a smoothwall at 192.168.0.1, in other words, for 192.168.2.100 to hit the internet, it needs to go to 192.168.2.1 which links over the VPN to 192.168.0.46 which can then get to 192.168.0.1 and the internet.

It isn't working. I assume I need to tell the smoothwall how to reach the 192.168.2.x network?

Any thoughts?

 

[P5-133XL]

At the very minimum you would have to do that: You need two way communication between the networks for the internet to work.

Ideally, I would want the routers to be configured with NAT so that the 192.168.2.x network addresses are converted to 192.168.0.x addresses when they get to the 192.168.0.x network and the 192.168.0.x addresses are converted to 192.168.2.x addresses when they hit the 192.168.2.x network.

 

[ddrueding]

I'm concerned about the added complexity of NATing, setting up port forwarding rules and the like would complicate things. Particularly as some of the machines in the 2.x network need to talk to machines in the 1.x network using different protocols.

 

[Stereodude]

I don't think your setup will work. What is the gateway for each network?

I think your remote site will have to get internet access back through the primary site.

 

[ddrueding]

I want the remote site to get it's internet through the primary site. The only way to the internet is through 192.168.0.1.

Everything at 192.168.0.x can get on the internet. Everything at 192.168.0.x can (when the static route is added) get to machines on 192.168.2.x through 192.168.0.46

No routes need to be added to anything in 192.168.2.x, as the only gateway is 192.168.2.1

What I think I need is to tell the router at 192.168.0.1 that it can reach 192.168.2.x through 192.168.0.46

Does this make sense? I've been working 24+ hours, and things are starting to get really blurry.

 

[Stereodude]

Yes, the gateway for the PCs at 192.168.0.xxx needs to know how to get to 192.168.2.xxx. Get some sleep. Your post was rather cryptic.

 

[ddrueding]

Sleep and caffeine good. Now I'm sick, but at least I can think. Thanks.

 

[ddrueding]

Got it sorted, it was a specific issue related to smoothies not relaying ICMP redirects back onto eth0 by default.

Thanks!

 

[ddrueding]

This has been working almost flawlessly for a couple months. Unfortunately, that "almost" involves having to reboot the hardware on the remote end every week or so. At 5:15AM. 50 miles away.

If I were looking to throw some money at this problem and look for a more stable solution, where would you suggest? blakerwry mentioned a Cisco L2TP v3 tunnel (VPN), but what hardware?

Thanks.

 

[blakerwry]

3600 or better routers should be able to handle at least 10Mbps through a l2tp tunnel. Again, you're probably looking at 10x the power usage, and I don't know that the cisco will play nice with non-cisco gear at the other end (I've even had trouble between two cisco devices if the terminating interfaces don't have similar configs).

If the setup is working as you want it to, I'd look at replacing the unit (and power adapter) that's flaking out, and possibly checking that power is consistent.

 

[Mercutio]

The Linksys gear is probably just getting too hot, or power isn't being well-regulated.

 

[ddrueding]

You are probably right. I have climate controlled boxes going in next week, and on-line UPS systems on the way. I'll swap out the linksys with another and see what happens. I might even crack the case and look into active cooling.