Two Gateways

[cygan]

I am stuck in a networking soup. My client has recently got MPLS installed for connecting his two offices. He has asked me to connect the two networks, so that the server is accessibe from the spoke location.

I shall first describe the two networks (Hub & Spoke). The Hub location has two segments working out on the same physical network i.e 192.168.0.X and 192.162.1.X. The internet router /gateway (192.168.1.1) is also connected to the same physical network. The MPLS gateway (192.168.0.1) also terminates in the same switch. Server in theis location have two network cards each, one catering to the LAN nodes on 192.168.0.x and one for access via the internet on 192.168.1.x. The ip config on 1 server for eg would be:
NIC1 -
ip: 192.168.0.105
SubNet : 255.255.255.0

NIC2 -
ip: 192.168.1.10
SubNet: 255.255.255.0
Gateway: 192.168.1.1
DNS: 202.144.115.4
202.144.66.6

The other office has just the MPLS gateway (192.168.16.1) terminating into a switch, and connected to machines on the segment : 192.168.16.x with a subnet mask 255.255.255.0 and gateway : 192.168.16.1.

We tried pinging one computer at spoke location from the hub location with a machine having a single lan card configured to 192.168.0.207 subnet 255.255.255.0 and gateway 192.168.0.1 and it was successful.

We also tried vice versa from the spoke location with a computer (192.168.16.63, subnet 255.255.255.0 and gateway 192.168.16.1) to the hub computer (the same parameters as mentioned above i.e192.168.0.207, subnet : 255.255.255.0 and gateway192.168.0.1) and that too was a success.
However when we try pinging from the spoke location to the server on 192.168.0.105 (with 1 Nic for LAN: 192.168.0.105/ 255.255.255.0 & the other NIc connected to the internet: 192.168.1.10/ 255.255.255.0 and gateway: 192.168.1.1), it is unsuccessful ( which is logical because the gateway for the machine is 192.168.1.1). I cannot change the setup at the hub location, because there are other issues.The servers also require internet access for users to connect from outside .Is there any way, I can get this working , so that a ping from 192.168.16.63 goes to 192.168.0.105. I also understand that we cannot have two gateways on the same machine since these are disjoint networks.. Is there any way that the traffic for 192.168.0.105 goes right to that machine even if the gateway is on the 192.168.1.x segment? Or any other aternate option? Please help

 

[cygan]

Maybe this diagram will explain my situation better.

http://www.cyberganesha.com/downloads/LAN.jpg

I want PC3 & PC4 to access servers 1 &2. (at least server2)

With the present ip, PC2 can access PC3 & PC4.
PC1 & the Servers cannot access PC3 & 4 till a static route is added.
PC3 & PC4 can access PC2 but not PC1 & the servers
Routers 2 & 3 can access each other but not router 1.

Please let me know.

Thanx

 

[Lemieux66]

Each interface on the servers can have it's own gateway. So give nic1 on servers 1 and 2 a gateway of 192.168.0.1 and then your traffic from the spoke will be returned.

As currently configured if you were to perform a packet capture on server 1 you would see traffic coming in from the spoke but because it doesn't have a gateway for the 192.168.0.0/24 network it can't be returned.

 

[drebo]

First off, why do you have two separate networks at the Hub site?

This is a really, really poorly designed network from what you've told us.

Fix the design and the issues will you have will not be issues any longer.

 

[cygan]

@Lemieux66: Would that mean I will have to remove the existing gateway of 192.168.1.1 on NIC2,and then put 192.168.0.1 on NIC1 because it says multiple gateways will not function properly when gateways are on two separate disjoint networks? One more thing is that though 2 locations are shown here, there is third location in which client computers connect to server 2 via Remote Desktop, so I guess that the gateway of 192.168.1.1 on NIC2 of server 2 will have to remain. And there is a proxy server working out on Server 1, so internet access is required there as well. Please suggest.

@drebo: regarding the design, you mean have multiple ips on the same NIC?

 

[drebo]

No, I mean address why you think you need two networks at that site or why you're not using VLANs and routing between the two networks.

 

[cygan]

@drebo: the whole network was built in piecemeals. I know that the network is not optically configured, but at present I cannot change anything. Is there any way I can direct traffic coming from the 192.168.16.x segment to the server2 at 192.168.0.242/ 192.168.1.242. Is there any way I can somehow route the traffic between these segments, without changing the present parameters.Or something like combining the gateways. Please suggest

 

[drebo]

The only thing you can do is configure a static route on the server for the 192.168.16.0/24 network through its appropriate gateway. However, that is still terrible design and I would not recommend it.

Correct the network design and these problems will go away.

 

[cygan]

I tried adding the following on server1:
route add 192.168.16.0 mask 255.255.255.0 192.168.0.1

I can then direct traffic or ping from the server to the 192.168.16.0 network. But the reverse does not work i.e I dont get a response from either server when I ping from the 192.168.16.x network. Is there any way, I use a router in between the two segments to combine them?

 

[kevnich2]

What is the purpose of the 192.168.1.x network? How many devices are on each network subnet? Are 192.168.0.x and 192.168.1.x in different buildings or something? From your diagram, both of these two networks are connected via one physical switch so are you using vlan routing in this switch?

Also, in your diagram PC1, PC3 and PC4 do not show a default gateway? is this correct? If so, without a default gateway address, these computers have no way to communicate with systems on a different subnet. You really need to get your network setup properly, both physically and logically to work correctly. Every system needs a default gateway (Should be whatever the local MPLS router is at each segment) to communicate with other network subnets.

 

[cygan]

@kevnich2: Oops, I missed out on that one. PC3 & PC4 have a default gateway of 192.168.16.1. I have corrected the diagram too. My basic requirement now is that PC3 & PC4 communicate with Server 1 & 2, i.e from PC3& PC4 to Server 1 & @. Server 1 & 2 can communicate with PC3 & PC4 after static routes were added.My question would be how to route the traffic to server 1 & 2 (at least server 2) from PC3 & 4 because the server gateway is 192.168.

No there is no VLAN routing at the moment. There are about 120 pcs on the segment. Th purpose of the 192.168.1.x network was to keep the internet on a proxy server, except to the servers which users access from outside via remote desktops.

 

[kevnich2]

Ok - are there ANY devices and if so, how many, besides the router and the two servers in the 192.168.1.x subnet? If it's just the router and the two servers - reconfigure it so you eliminate the 192.168.1.x subnet. Bring your internet router into the 192.168.0.x subnet as 192.168.0.254 and then put in an ACL rule in the internet router/firewall so that only your proxy server can communicate between the internet and the network. You will need to reconfigure your PC's to communicate with the proper proxy server IP address. You don't show in your diagram which server is your proxy server because this could be changed ahead of time if the server has dual NIC's and then once all PC's are using the 192.168.0.x IP address on the proxy server, you can drop the 192.168.1.x network altogether.

The issue your having stems from the fact that both servers are seeing traffic from 192.168.16.x and both servers don't have an interface in that subnet so it's sending it's response traffic to it's default gateway which is 192.168.1.1.

You have left a LOT out of network diagram so this is pure speculation but your traffic is likely hitting the servers from PC3 and PC4 but when the server is sending it's traffic back, it's actually sending it out to the internet. The static route will work because your telling the servers all traffic that is destined for 192.168.16.x, to send it to 192.168.0.1 instead. Keep in mind this will need done for EVERY device that has a default gateway of 192.168.1.1

Where PC3 and PC4 traffic is going is purely dependent upon what routes are programmed into your two MPLS routers on 192.168.0.1 and 192.168.16.1. A simple test to see is on one of those PC's, do a traceroute to one of the server's IP addresses and follow the hops it takes. You don't want to see a 192.168.1.x IP in the trace route output

As drebo pointed out, your network is....well, not setup correctly at all. Keep things as simple as possible so that when things don't work or break, their easy to diagnose. The way your network is setup is IMHO broken. Either learn what is involved with networking or hire an outside Network consultant to come in and get things straightened out. Having a hodgepodge patch work like you have is just asking for trouble.

 

[kevnich2]

One other thing, as I mentioned you left alot out of your network diagram. I would update it with a few of the things the servers are for, such as internet proxy servers so we can see what servers do what. Knowing one of them is a proxy server is an important detail but you don't mention which one. You also don't mention if the proxy server is ONLY a proxy server or if it serves other purposes as well. What's also needed is more description for your router at 192.168.1.1, what kind of router is it? Is it also a firewall?

 

[cygan]

@kevnich2: Thanx a lot. I tried adding a static route on the server 2 (the SAP Server), and it worked. And to be honest, it wasn't working that way yesterday. However, i am a little scared because there is so much of experimentation done, I am in fact not sure which one worked. In fact I am even scared to reboot the servers.By the way, server 1 is the proxy server. All the three routers are in fact Fortigate products and all of them have firewalls.
The main purpose of the two NICs in the servers was to use one for the intranet, and the other one as the interface to the Internet. The purpose was to keep the two networks distinct. Any suggestions on that one please?

However, I shall definitely consider your advice, and eliminate the 192.168.1.1 network altogether. What started as a small network of about 15 computers has grown now into a 120 computer network over the past 8 to 9 years. I know the network design is horrible, but in fact at that point in time, I may have been looking at the easiest way out..i.e, not restructure things out with changes taking place, and most probably this could be the reason for the state that the network has come to be, as on day.

The client will be shifting to a new location in the next three months which gives me an opportunity to straighten things out. I will definitely try to restructure the network by breaking it up into VLANs, and knocking off unnecessary segments altogether. Would you like to give me any suggestions for the same?