Re: 3 LAN, 2 WAN - 2 LAN use 1 WAN, last LAN uses other WAN



"Phillip Windell" wrote:

Using RRAS as a LAN Router and using it as a NAT Firewall are two different
functions. I imagine both can be done at the same time, but I have never
done it. RRAS is not going to provide squat for auditing,...it just doesn't
do it.

I know I have to use RRAS, I'm just not able to make it bend to my will... I
also know RRAS isn't going to do any auditing. I do know that VMWare has
bridge connections which I then use in a Linux VM running nTop which operates
in promiscuous mode and that does the auditing.

If the LAN Router between the "businesses" and the Internet "sharing" device
(NAT Firewall) are both the same device it just ain't gonna happen. Routes
are determined by the Destination,..*not* by the Source. You cannot run
things through a single device and then expect the traffic to go to the
Internet over different paths after that. It does not matter how many Nics
you stick in something,...there is still only one Routing Table and that is
where the decision comes from.

Right, so this sounds like Windows (out of the box) isn't able to do source
NAT, only Destination NAT... In linux you could dictate the next hop based on
the source.

Even if you decide to forget about the auditing, and you just want them to
use different Internet "paths", you have to deal with all of the
below.......

With a single LAN Router for all the segments, your Inter-LAN Routing must
be totally separated from anything having anything to do with the Internet.
Then each "business" uses the Firewall they are supposed to use for the
Internet as their Default Gateway. Then the Firewall would have a static
Route that tells everything to use the LAN Router as the "path" for the
other IP Segments. You can't do that if both the LAN Router and the Firewall
are the same device. Keep in mind that some firewall devices may not allow
this because it is considered a "bad idea" to place LAN "routing decisions"
on the Firewall.

Ok, the actual dsl modems are the sharing device in that on one side is the
Internet IP and on the other side is the LAN IP. All I need is a rule that
says ok this packet is from this subnet you should go to this IP next. That
IP would be the LAN IP of the dsl modem. But like I said above its looking
more and more like windows isn't able to make these kinds of decisions.

The correct topology (but more expensive) would be for each "business" to
have its own LAN Router (3 businesses - 3 LAN Routers). Then the LAN
Routers would be the Default Gateway of each respective business,...the LAN
Routers in turn would use the correct Firewall for that particular business
as the Default Gateway. Then the routing scheme between the businesses
could be handled by Dynamic Routing Protocols or it could be worked out with
a series of Static Routes on the 3 Inter-LAN Routers.

Yeah - That's what I had in mind, I was trying to do 3 LAN routers in 1 LAN
router. Looks like this isn't possible... Which is odd since it really is
just routing with extra rules - it must be doable - I'll keep searching.
These are the rules just follow them. I need to figure out how I implement
them

If(src network == 192.168.10.1/24) {
GoTo 192.168.1.1 via WAN-NIC
}
If((src network == 192.168.11.1/24 OR src network == 192.168.12.1/24)AND
destination is 0.0.0.0 ) {
GoTo 192.168.2.1 via WAN-NIC
}

That is trival to do in linux using iptables - and there must be a way to do
it in windows :)

I guess I could make my nTop virtual machine a router.... Damn that's clever
thinking with a capital T - I'll just do that if windows isn't able to do it.


You can gain some flexability with a "proxy based" Firewall (like MS ISA
Server) at each Internet link, I but I doubt you would consider buying an
ISA Server for each Internet link. But even then there are things that you
just cannot do.

I thought ISA might show its head - yeah I'm not going to pay for that due
to cost and I really don't need it :)


Thanks for your input Phillip, I appreciate you taking the time to reply.

ZaneB
.

Relevant Pages

  • Re: 3 LAN, 2 WAN - 2 LAN use 1 WAN, last LAN uses other WAN
    ... Now if Linux can route packets - surely ... Using RRAS as a LAN Router and using it as a NAT Firewall are two different ... Internet over different paths after that. ...
    (microsoft.public.windows.server.networking)
  • Re: AdAware, SpyBot S &D, etc. + leave PC connected to Internet
    ... >It will be a while I get the router and do that. ... >> labelling on the box to be sure it has firewall features. ... name, like Disconnect from Internet, and click Finish. ... generally talking only about "critical patches" that affect security. ...
    (comp.security.firewalls)
  • Re: Networking problems with router between 2 p.c.s
    ... >> router for internet access. ... >> disable the internet connection firewall in the LAN ... isn't suitable for use on a local area network. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Is this a wise configuration?
    ... A have a single DSL connection to the internet at my house. ... connection goes through a router, ... With this many "test" servers running, however, there are many ... Generally referred to as "DMZ" when you search for firewall info ...
    (comp.os.linux.networking)
  • Re: MAJOR Hacking
    ... > efforts with router, personal firewalls, etc. Brand new computer ... > (AIM, internet expplorer, svchost.exe etc) accessing the internet ... > server whose IP seems to be masked to my firewall logs. ... Kerio Personal Firewall ...
    (microsoft.public.security)