In Steve Gibson 3 router architecture, how do I allow the office access to the IoT

[coxhaus]

If you can't make it all work a work around is to unplug and plug into a different network or join a different wireless on a different network. Just bounce around from network to network. That will work for a while.

 

[Michel Trahan]

If you can't make it all work a work around is to unplug and plug into a different network or join a different wireless on a different network. Just bounce around from network to network. That will work for a while.

I already do that with a switch on my desk to go from one IP domain to the other to compensate the limitation of the Multicam CNC ... I need to be in the same IP domain ... I just pull a plug and insert it into another and I am into the right domain ... but ... for the IoT router from the Office ... work in progress ...

I tried to remove the NAT masquerade between the two routers ... without removing the WAN interface ... I just cut the internet ... bummer ... must be more intracated then I think ...

 

[coxhaus]

I think you are confusing yourself between firewalls and networks. Address each separately.

 

[Michel Trahan]

I just tough of something ... all three routers are defined as getting WAN from eth1 ... but both the office and iot routers are connected to another router ... the border ... how do you define the uplink to the border router ? there still need a route for 0.0.0.0/0 no ? and when I remove NAT masquerade on them both ... I lose internet ... so how do you define an uplink to another router without masquerade ?

 

[Michel Trahan]

I think you are confusing yourself between firewalls and networks. Address each separately.

That you are 100% right ... I really don't know what I'm doing ... having some difficulties with the concepts ...

I have multiple networks (VLAN) but only one firewall per router ... ok I could have another firewall in front ... but ... where exactly do I confuse the two ?

I want two networks to talk to each other ... one way ... meaning one can go into the other but the other cannot ... it works fine on the same router (I do it with my cloud and cncs) ... the problem is going through another router ... with a probable bad definition on the uplink connection (eth1) ... which is defined as being the wan link ... which in itself is not true since there is another domain on the border router ... so it is a LAN uplink ... how do I define that in an EdgeRouter-X ? lol

 

[Michel Trahan]

Hum ... solution might be close by ... everybody tells me to use a L2 switch downstream ... the router can be configured as an L2 switch ... I'll have to try that ... I would have a trunk ... no ? instead of a gateway ...

 

[Michel Trahan]

But then ... would I still have DHCP for the VLANs on the "L2 switch" ? hope so ... if not ... bad idea then

 

[ColinTaylor]

Good thing then that it is for my office and a personnal project (the one with the 10 ports) where things will be much simpler since everything will be by design ... (escape room concept) ...

Am I the only one here who's never heard of an "escape room concept" in relation to network design?

 

[Michel Trahan]

Am I the only one here who's never heard of an "escape room concept" in relation to network design?

Sorry about that one ... has nothing to do with network design ... the escape room concept is a game for kids or for team building in short groups ... have to solve different puzzles to be able to get out of the room ! uses many raspberries and wifi and all ... for the events of the electronics ... using MQTT broker and all ... does that help ? lol

 

[ColinTaylor]

... does that help ? lol

Only to confirm that I'm too old.

 

[Michel Trahan]

Only to confirm that I'm too old.

Trust me ... I was ... three weeks ago lol didn't know what it was either until they showed it to me ... but not connected to any computer ... therefore my presence ... the wow factor for those guys ... chapeau (I pull my hat) So I'm having fun designing something for the big kids in us all

 

[coxhaus]

I hate DHCP and firewalls in multiple locations. It is part of the clumsy which I don't like. Use a business class router and you will have it all in 1 location which will be much simpler.

 

[Michel Trahan]

I hate DHCP and firewalls in multiple locations. It is part of the clumsy which I don't like. Use a business class router and you will have it all in 1 location which will be much simpler.

LOL again, I like to understand what needs to be done ... be it hard or not ... I am not changing the equipment ... I live with it and make it what it can ... but it should be a no brainer ... everywhere we get access to different network so it should only be a mater of doing the right thing to make it work ...

From what I understand, I need to define a static route from the office to the IoT going through the Border ... and change the links between the routers not to do masquerade between them ... easy to say ... now I want to know how to do it ... saw some errors in my rules ... will try that this weekend when I don't need the internet so much lol

I'll try asking the question on ubnt site ... might have an answer on what I'm doing wrong (besides using the wrong equipment as you all seem to say )

 

[ColinTaylor]

From what I understand, I need to define a static route from the office to the IoT going through the Border ... and change the links between the routers not to do masquerade between them ... easy to say ... now I want to know how to do it ... saw some errors in my rules ... will try that this weekend when I don't need the internet so much lol

If you wanted specific help configuring your routers rather than general suggestions you should have stated clearly from the outset that you are using EdgeRouters. You've only mentioned that once in passing in post #15.

 

[Michel Trahan]

My error ... I'm a tad exhausted sorry ... took too much on my plate ... running 2 CNC and learning pyboard while trying to configure something that I thought was easy took a toll on my brain power ...

So yes, it is 3 EdgeRouter-X with 5 ports on each ... I dedicated eth0 to be the maintenance port on all of them (using 10.22.22.1/24) ... planning to lock the ui to that port when everything works fine with something like that :

CLI :
configure
set service gui listen-address 10.22.22.1
commit
save

... almost there I'd say ...

 

[coxhaus]

If you have edge routers you should be able to do what you want with 1 router providing they are in the same location. No reason to have separate routers. Just setup a network VLAN for each router so instead of 3 routers you would have 3 networks. Then you need to setup routing between the networks. After routing works then setup ACL access lists to restrict access based on what you want. I guess you know you can't route Apple devices and stay in the Apple framework. Also there are a few Windows things that are different on a routed network. Other than this it should all work.

Steve Gibson's 3 router setup is for consumer routers with no VLAN support.

As far as specifics I am not an edge router person. I do this all the time in the Cisco world.

 

[Michel Trahan]

Steve Gibson's 3 router setup is for consumer routers with no VLAN support.

That would explain a lot lol

My office router is configured like that ... 2 VLANs and rules to only allow one domain to access them all ... one way ... but I thought hey why not try this 3 router thing ... it works fine ...

In the end if it is not working ... I'll live with the fact that I need to disconnect from one to get to the other ... it is not for a house with intelligent tv and all ... so ... and if I get tired ... I'll reconfigure it all and buy managed switching gear behind the lone router ...

 

[Michel Trahan]

News flash ! Got it to work perfectly ! It's only networking ! I have added a document publishing how to do it with 3 Edgerouter-X ... my document is in pdf ... it is a step by step instructions to do it using Edgerouter-X

The principle is simple ... configure the router ... add routes so that packets go from on to the other and vice versa ... and then add firewall policies to say who can see what ! Said like that it is simple but ... it works fine ! The office has access to the IoT but the IoT does not have access to the Office !

Oh ... and I removed the double NATing that was there by default ! Quite more responsive lol

 

[coxhaus]

I am glad you got it to work. But why use 3 routers? What requires a second router? One router and 1 L2 switch will accomplish what you want. One router can route all the VLANs. Personally I would run a L3 switch to route all the local traffic.

 

[abailey]

I agree with Coxhaus. One Edgerouter-x could do it all. In fact if done with one Edgerouter you would not even have to add routes, it would do it for you when you set up the interfaces. Having three routers is unnecessarily complicated (unless this is a home lab for learning). Anyway I'm glad you got it working.