Dual WAN Advice Please

[Samir]

Not the same solution at all. The one I posted only requires one ISP connection per building, but allows for failover via IP SLA tracking and HSRP prioritizing. The solution you seem to have provided would probably work for outbound connections, but would be likely result in suboptimal failovers/performance. I could even see how it could result in asymmetric routing if configuration to prevent it isn't done.

Two Cisco rv082s in load balance mode would work perfectly fine with a connection from each wan like you've outlined. And when set up correctly, the failover can be almost instant (you can set it to disable a wan with as little as one failed ping). I don't see how an asymmetrical routing scenario could develop in a situation like this since the two networks are still not directly routing to each other.

 

[theonlyski]

How were you planning on keeping remote connectivity between the buildings?

 

[Samir]

How were you planning on keeping remote connectivity between the buildings?

The same way they are now--use the external IPs.

Ditto for IP security cameras - I can see his by using his external fixed IP, but it would be so much slicker if my cameras & CCTV server could just talk across the the network and vice vera.

And the route could be fixed so that it will go out on the wan that is shared with the other business so they will basically be on the same subnet (assuming the ISP assigns them sequential IPs), so speed will should be great.

A site-to-site VPN could also be used, but this would logically join the networks, and from what I can gather from this statement, I don't think that's what the OP wants to be done:

There are two independent businesses with absolutely no desire to share a single router, but we are happy to allow our DS411+s to back up to the other guy's (with appropriate security). If one office burns down, the maximum lost data is a couple of hours work.

The OP's requirements are a bit unclear since there's a statement about not wanting to connect the two networks and that there is going to be fibre between them:

Connections are not a problem - as previously stated the Cat5e that is already there between me and the neighbouring business will soon be Cat 6 and there is a 32 core multi-mode fibre going in between us.

I also think the real Cisco iron is a bit much for his specs, as he clearly states off-the-shelf--so no CCNA required.

Dual WAN looked to be the way to go, but I'm receptive to any idea that doesn't involve putting all our eggs in one basket. I'm not interested in building a pfsense router out of old bits from the throwaway cupboard; something modest UK priced and off the shelf will do nicely.

This is definitely a simple solution that any smb dual wan router can handle. And I personally know the Cisco rv series can do it since I have several of these.

 

[theonlyski]

The same way they are now--use the external IPs.

And the route could be fixed so that it will go out on the wan that is shared with the other business so they will basically be on the same subnet (assuming the ISP assigns them sequential IPs), so speed will should be great.

A routed link doesn't join the networks and it has the same set up he's got now. It allows two autonomous networks to be able to use the high speed gigabit private line to communicate. You assumed that the ISP is the same for both but even if that is the case, the likelyhood that they would be on the same subnet is just a shot in the dark. Utilizing the private link between them would allow high speed file backups and IP camera connectivity without taxing their ISP links. Also, keep in mind that most ISPs rate limit on their handoff equipment, so even if they are on the same segment and subnet, they're still likely going to be limited to their advertised rate.

A site-to-site VPN could also be used, but this would logically join the networks, and from what I can gather from this statement, I don't think that's what the OP wants to be done:

Doing a Site-to-Site VPN over two slow links is just going to make the connection slower due to the overhead. Why bother with it when you have gigabit private line between the networks? It would be absolutely silly not to utilize it!

I also think the real Cisco iron is a bit much for his specs, as he clearly states off-the-shelf--so no CCNA required.
This is definitely a simple solution that any smb dual wan router can handle. And I personally know the Cisco rv series can do it since I have several of these.

A 1800/1900 series router was almost designed to fit this role perfectly, and I would hardly call it 'real Cisco iron', especially sitting next to the 6500s we use. Small offices that need features of larger networks. The RV series was for a small office that wants some VPN capability, and I bet if you asked TAC to come up with a solution for this problem, they would tell you something very similar to what I did. I think the Cisco 800 series may support this as well, but they're also limited to 100m.

You can go ahead and argue your case again and again, I don't care anymore. Hopefully the OP figures it out.

 

[Samir]

A routed link doesn't join the networks and it has the same set up he's got now. It allows two autonomous networks to be able to use the high speed gigabit private line to communicate. You assumed that the ISP is the same for both but even if that is the case, the likelyhood that they would be on the same subnet is just a shot in the dark. Utilizing the private link between them would allow high speed file backups and IP camera connectivity without taxing their ISP links. Also, keep in mind that most ISPs rate limit on their handoff equipment, so even if they are on the same segment and subnet, they're still likely going to be limited to their advertised rate.

I don't think understand. If one has two IPs from a single ISP, more than likely those two IPs are in the same subnet. If one IP is going to each router's WAN and each router is communicating to the other via these two IPs, they're on the same subnet and should be quite fast. This would be utilizing the same 'private link' you're referring to as that's how they would connect to each other's ISP.

Doing a Site-to-Site VPN over two slow links is just going to make the connection slower due to the overhead. Why bother with it when you have gigabit private line between the networks? It would be absolutely silly not to utilize it!

Agreed. And I've laid out a way that can be done without expensive ASAs and CCNA/NP config time.

A 1800/1900 series router was almost designed to fit this role perfectly, and I would hardly call it 'real Cisco iron', especially sitting next to the 6500s we use. Small offices that need features of larger networks. The RV series was for a small office that wants some VPN capability, and I bet if you asked TAC to come up with a solution for this problem, they would tell you something very similar to what I did. I think the Cisco 800 series may support this as well, but they're also limited to 100m.

What I refer to as real Cisco iron is the confusing and convoluted world of Cisco's core product of routers (the rv series is really just Linksys stuff they bought out). Finding out even which model to buy from the Cisco web site is a nightmare with the various configurations available without any real details on what each one does.

And then you have to deal with Cisco IOS. Damn powerful, but damn steep learning curve if you've never touched it. For someone that wants a drop-in easy solution, it's not my first choice.

You can go ahead and argue your case again and again, I don't care anymore. Hopefully the OP figures it out.

I'm not arguing--just presenting a different configuration that does the same job as yours for well under $1k.

 

[Chunky]

Well, the OP is pretty much in over his head now, slowly drowning in abbreviations and getting a vague picture that I might end up using a howitzer to get rid of mildly troublesome vermin.

But I'm, sure I'll figure it out somehow.

To my mind the debate ended up with more heat than light and some of the debate covers stuff that I outlined in the first post so could easily have been avoided. For example, I've stated that there are two broadband connections from two different ISPs. Contrary to the assertion that, "The OP's requirements are a bit unclear..." I thought is was so simple it didn't even need a diagram. Two distinct business systems with a desire to share some resources. Simples.

Apologies for prompting more debate that I thought it warranted, but at least I've learnt a few things on the way through.

.

 

[Samir]

Well, the OP is pretty much in over his head now, slowly drowning in abbreviations and getting a vague picture that I might end up using a howitzer to get rid of mildly troublesome vermin.

But I'm, sure I'll figure it out somehow.

To my mind the debate ended up with more heat than light and some of the debate covers stuff that I outlined in the first post so could easily have been avoided. For example, I've stated that there are two broadband connections from two different ISPs. Contrary to the assertion that, "The OP's requirements are a bit unclear..." I thought is was so simple it didn't even need a diagram. Two distinct business systems with a desire to share some resources. Simples.

Apologies for prompting more debate that I thought it warranted, but at least I've learnt a few things on the way through.

.

There's always different ways to skin a cat, and I was trying to present something that would fit your taste for configuration and 'messing with the network'. Cisco ASA routers are no joke to try to configure, and you can lose DAYS in attempting to do so, not to mention their cost.

The only parts that I found confusing (and it's my fault for not asking for clarification) were the following:
1. Are there ethernet lines between the businesses? If so, how many and what is their current purpose?
2. You mention that you want to keep the business networks separate, but any lines directly connecting the two actually does join the two networks. Are you okay with this in order to access resources between the two businesses faster? There are ways to avoid this without increasing expense--it just requires some creative configuration.

 

[PanamaJoe]

To make it work assuming both of you use dual WANs is to plug your internet into WAN1 and the 2nd WAN/port into your neighbour's LAN port. Setup WAN1 as usual and setup WAN2 using DHCP and set WAN2 to be failover. Its really simple.

For your neighbour's setup you will need to do the same thing. Because you're plugging WAN2 into LAN ports you do not need to worry about loops as long as WAN2 interface is not defined to be part of LAN. If it is not switched than it would be even better.

This appears to be the answer to one of my own questions. I stumbled upon this thread looking for something else, but looks I am lucky. But I am not exactly sure if I understood the procedure correctly.
If I may, let me describe my project, which is somewhat similar to the one discussed here.

We (the users in question) are two neighbors, about 200 ft distant but with possibility to pass Ethernet cables between our homes. I have one ISP which goes down a bit too often and I want a backup from another ISP, possibly without having to pay two fees. My neighbor is planning to get internet, so he could subscribe another ISP and my idea is to share both ISPs among us for more safety. As we should each have the same cost and each his own LAN without interfering with the other, I have thought to connect the input of a bridged router or a switch to each of the modems in order to get two connections for each ISP. Then connect one switch output to WAN1 of my dual WAN router and another connector of the switch to a 200 ft LAN cable which my neighbor will connect to his WAN2, and vice versa. So each of us should be able to use 2 ISPs and have his LAN isolated from the other. Is this what you meant? It appears to me that you suggested a solution without the switch between the modem and the dual WAN router. Does this mean that one of the LAN connectors of the dual WAN router can be set to replicate exclusively WAN1?
Will the two LANs be isolated even if they use the same subnet numbers, as they are "behind" two different routers?

Second question.
I wonder if the failover can be arranged without setting one ISP as the main ISP and use the other only in case of failure, like I have read in the tutorial "How To Set Up Your Dual-WAN Router". I would rather like to use the entire bandwidth of both ISPs and just have reduced bandwidth if one of them goes down. Is this doable? I am considering to use two "TP-LINK TL-R470T+"

 

[coxhaus]

How about 2 layer 3 switches behind 2 routers? Create a VLAN between both layer3 switches. You can control all network sharing or not using this VLAN.

 

[PanamaJoe]

How about 2 layer 3 switches behind 2 routers? Create a VLAN between both layer3 switches. You can control all network sharing or not using this VLAN.

Could you please explain this a bit more detailed? I am not very experienced in networks, just have basic knowledge, sufficient to set up a router in a simple LAN.

What I understand is that you propose not to use 2 dual WAN routers but 2 normal routers instead. Then connect a layer 3 switch to one LAN port of each router. My questions:
- Isn't a layer 3 switch just a combination of router and switch? So if there is a router, what does the switch that the router cannot do?
- can you suggest suitable models (actually I am using a cheap Tenda W306R router with 1 WAN, 4 LAN and WLAN)
- How would the connection between the two users be made?
- How would the VLAN between the 2 switches be created and used?
- What about the required two separate LANS, one for each user?
- How does the failover work in your proposed model?

Sorry for the many questions, but I need to understand how your proposal works, in order to build the system.

 

[coxhaus]

Could you please explain this a bit more detailed? I am not very experienced in networks, just have basic knowledge, sufficient to set up a router in a simple LAN.
.

I thought you and your neighbor were going to back up each other's router but not share networks.

You may not possess the skill set to setup the equipment I recommended.

 

[PanamaJoe]

I thought you and your neighbor were going to back up each other's router but not share networks.

You may not possess the skill set to setup the equipment I recommended.

1) You are correct, we only want to back up the internet connections. We do not want to share each other's local area network. Sorry if I wrote anything that makes you think differently.

2) I certainly do not have the knowledge to set up an equipment that has only been described vaguely like "How about 2 layer 3 switches behind 2 routers? Create a VLAN between both layer3 switches."
If I had, I would not need advice. This is why I am here.

I do have the skills to set up a network if I know which devices to use and how to connect them. I do have the skill to read and understand a manual and I do have the skill to set up a router using its manual. Have done this quite some times in my life.

Nobody can be an expert in everything and although I have been an electronics engineer, this has not been my specialty and I had never before the need to set up anything more complex than my own LAN with a few pc's and some IP cams with port forwarding.

If you just want to brush off someone's request for help who does not have your level of knowledge in this very special field, why bother to respond at all?
This said, your assistance is welcome if it is seriously meant to help.

 

[Trip]

Let's simply identify the goal, and explain a solution as succinctly as possible, shall we?

Goal:
Create mutual WAN fail-over using indepently-networked ISP connections at neighboring houses.

Solution:
A dual or multi-WAN router located at each house, each with fail-over capability, a built-in multi-port switch and the ability to assign ports to different LAN subnets.
Run twin ethernet cables between the houses, each a different color or uniquely labeled if the same color (I'll use blue and red in this example).
At house #1, you'll plug the blue cable into the second WAN interface (ethernet port) and the red cable into the last LAN interface.
At house #2, you'll plug the red cable into the second WAN interface and the blue cable into the last LAN interface.
On each router, you'll assign the last LAN port its own subnet, to segment it away from the other LAN ports (ie. the neighbor's internal network).
Also on each router, you'll setup the WAN failover schema. Then you're done.

Yes, I realize you could run just a single cable, but then you'd most likely have to tag and VLAN the traffic between each device, trunk that tagged traffic, etc. -- it's more complex, less redundant, and also doesn't allow for indepdent duplex bandwidth dedicated solely to each secondary WAN link, the way simply running 2 cables would.

If the process above sounds too complex, you have a couple choices. Either get a networking-knowledgeable friend to do the setup, or use something extremely user-friendly like a pair of Peplink Balance 20s, hook each one up to its primary WAN connection, get the house-to-house cables ready, then call Peplink support, explain to them what you want to do, and they'll literally walk you through it remotely, even via screen share if required.

 

[coxhaus]

The layer 3 switch recomendation is a classic case for a layer 3 switch. The nice thing about layer 3 switches is they route at nanosecond speed whereas a router will route at millisecond speed. The layer 3 switch is a much better and faster router for a local LAN. The more I look at the lower end layer 3 switches like the Cisco SG300 switch the less capablity I am finding. Cisco has dumbed down this switch to where there does not seem to be a way to control the default gateway in this switch so it may not be a good recomendation after all. I am not sure at what level up you need go to allow this. You would not want to start at this level any way. Working with 2 layer 3 switches will require networking experence. Without a good networking understanding I doubt you would be able to make it work. I think your under taking to solve this task is good. Working with networks trying things like this task will build good networking knowledge.

 

[PanamaJoe]

Let's simply identify the goal, and explain a solution as succinctly as possible, shall we?

Goal:
Create mutual WAN fail-over using indepently-networked ISP connections at neighboring houses.

Solution:
A dual or multi-WAN router located at each house, each with fail-over capability, a built-in multi-port switch and the ability to assign ports to different LAN subnets.
Run twin ethernet cables between the houses, each a different color or uniquely labeled if the same color (I'll use blue and red in this example).
At house #1, you'll plug the blue cable into the second WAN interface (ethernet port) and the red cable into the last LAN interface.
At house #2, you'll plug the red cable into the second WAN interface and the blue cable into the last LAN interface.
On each router, you'll assign the last LAN port its own subnet, to segment it away from the other LAN ports (ie. the neighbor's internal network).
Also on each router, you'll setup the WAN failover schema. Then you're done.
.....

Wow, love this answer. Short, precise and to the point. Thanks a lot.
This is basically what I imagined, but I was not sure whether it would be possible to do the cross linking that you describe. My doubt was that this way I might risk backcoupling of the packets. But thinking it over well, it cannot happen as in failover mode only the primary OR the secondary WAN will be active.
We're both on a budget (that's why I am trying to avoid having two ISP's on my own and use my neighbor's instead). Buying two dual WAN routers from TP-Link and 150 m of LAN cable is a lot cheaper than paying 2 ISP's month after month. Hopefully these routers allow to set up everything like you propose.
In any case I will need to put either a switch or a router with WLAN behind the dual router because I need WLAN and more LAN ports than the dual WAN has left. As I have both available, what would you recommend, the router or the level 2 switch? In my understanding, the router would give my LAN a better separation.

 

[PanamaJoe]

The layer 3 switch recomendation is a classic case for a layer 3 switch. The nice thing about layer 3 switches is they route at nanosecond speed whereas a router will route at millisecond speed. The layer 3 switch is a much better and faster router for a local LAN. The more I look at the lower end layer 3 switches like the Cisco SG300 switch the less capablity I am finding. Cisco has dumbed down this switch to where there does not seem to be a way to control the default gateway in this switch so it may not be a good recomendation after all. I am not sure at what level up you need go to allow this. You would not want to start at this level any way. Working with 2 layer 3 switches will require networking experence. Without a good networking understanding I doubt you would be able to make it work. I think your under taking to solve this task is good. Working with networks trying things like this task will build good networking knowledge.

Thank you coxhouse for this answer. You are correct, I should at least start with a solution that is as simple as possible. I have also looked up info about level 3 switches and what seemed suitable is quite expensive for our non professional situation. And although I understand what a VLAN is and does, I have never set up any and for someone like me who has no experience this would be a risk to waste a lot of time and money without maybe getting it ever to work.
I am not dreaming of being able to replace a network pro by using google and unfortunately I have no friend here who could guide me through the setup. And pros are not cheap for a reason.
So I will try the solution proposed by Trip, which is basically the one that I imagined first. If it does not work, I can still try something even simpler, i.e. switch over to my neighbor's ISP manually if mine fails.

 

[Trip]

Behind each dual-wan router you can certainly connect a layer-2 switch of any port density you desire (8-port, 16-port, etc.) for more wired connections to the router. (Note: that's "layer", not "level" -- you may want to Google "OSI model" just as a general primer on the difference between different layer devices involved in networking)

For adding in wireless behind the dual-wan router, you'll want an Access Point only, absent of any on-board routing (or all-in-one wireless router set as just an access point); this will keep you from doing what's known as double-NAT (double Network Address Translation -- google it if you like).

As for routers, like I said, a pair of Peplink Balance 20's would be my first choice for this project; Linksys LRT224's on the cheap, if you must. Re- TP-Link, their pedigree in multi-wan is middle-of-the-road, but your mileage may vary.

 

[PanamaJoe]

Thanks Trip, I am aware that it should be "layer". Don't know what made me write "level", other than that both start with "L".
I have researched various brands and I agree, from customer reviews the Peplink seems to be best in this category.
Re double NAT, I checked and from what I understand I already have it, although I have not had any problem with it. The DSL modem is a combined modem-router with only one LAN port, so the router that I connected to it does not see the WAN but is in a LAN with 192.168.1.x addresses while on the LAN side of my router I have 192.168.0.x addresses.
Port forwarding works well. The entire range of used ports is forwarded in the modem router to my router and then from there to each single device.
I wonder if this situation might be an obstacle to use the dual WAN router.
To avoid double NAT, I would probably have to set the modem-router as a bridge, but I have not yet found indications how it can be done. It is a ZTE "ZXDSL 831 II". (According to the maker, it can be done).

BTW in my reply to coxhouse I have added the two schemes that I had in mind. One of them corresponds to the one that you propose, at least this is how I understood you. I have sent the same drawings to TP-Link and unfortunately they said this cannot be done. They propose to use only one dual WAN Router and connect both ISPs and then bring a cable from one of its LAN ports to the neighbor. So no cross wiring. Would certainly be cheaper, especially if I use the Peplink.

 

[coxhaus]

I would not want my WAN connection at my neighbors house. I guess if it is your parents then it might work. Seems like you would want a solution where each of you control your own WAN connection. Then if either WAN connection fails your network traffic is routed to your neighbors LAN and out his router.

You need to put your modem in bridge mode so your WAN has an outside IP address. Double NAT is not good.

PS
What if you lose power and both WANs are at one house. Say a breaker goes bad. You need to replace your breaker box. The houses are not on the same power grid. etc. The other guy is out of luck for a WAN connection. It would be best to separate the WAN links for the best up time.

 

[PanamaJoe]

I would not want my WAN connection at my neighbors house. I guess if it is your parents then it might work. Seems like you would want a solution where each of you control your own WAN connection. Then if either WAN connection fails your network traffic is routed to your neighbors LAN and out his router.

You need to put your modem in bridge mode so your WAN has an outside IP address. Double NAT is not good.

Thank you for your thoughts. You are correct, I would not want my neighbor to snoop in my network and this is indeed is a concern for me. Especially because he is going to rent his apartments to other people whom I probably won't even know. So the goal is to use both ISPs while being able to separate both LANs and avoid intrusion.

The Chinese producer of my ADSL modem (ZTE) won't supply me info about bridging and told me to contact my ISP, who is notably not responsive to user requests ("TIP" ... "this is Panama").
I have searched in internet, though, and think I will find a way to bridge it. Someone proposed to activate DMZ, but as far as I understand this would not be the right solution considering the privacy issue.
So my first task right now is to find a way to bridge the modem-router.
The strange thing is that, looking at the setup of the modem-router, it appears to be already set as a bridge.
I upload here the various screens of the "Quick setup" of the modem-router as they are shown when I click through them without changing anything. I would appreciate if you could have a look at them and tell me what should be changed to modify the router into a bridge.
(last 2 pics attached to next post)