Combining two networks on one WAN IP address

[jwhitmor]

Hello,
I have two networks: one office network, with workstations, a server, printers, and internet access, and one security network, with IP surveillance cameras, and a video security workstation. Both networks have wireless access points with different SSID's. Each network has it's own router and address range. The office network has a single IP address broadband internet connection. The security network currently has no wide area connectivity. I want the security network to have FTP access through the internet to upload security photos to an off-site storage device. What would be the best way to connect it to the existing office infrastructure? Should I just hard-wire the security router's internet port into the switch for the office network, or would it be better to add a switch to the broadband connection, and hard-wire both routers into it? I do not want the heavy traffic between the cameras and the security workstation to impact the office network. I just want the security workstation to be connected for an occasional FTP transfer.

Thank you,
J.W

 

[palladin9479]

What kind of "routers" are you using for this office connection? If you have a upper class Cisco / near enterprise class router then this is easy, if your using SOHO's then this becomes slightly more difficult.

With an enterprise router you just plug a line from the "security" LAN into a port on the router and configure that port to be the GW for that subnet.

If its SOHO its a little more complicated. The first router is the officer router and has everything pluged into it, one cable will have to go from this router to the security networks router's WAN port. On the security networks router you will have to disable NAT but keep routing turned on, depending on the model of the router this procedure changes. You configure then set the "GW" of the security router to be the IP of the office router. Then configure a static route in the office router that points to the security router for its subnet.

If none of this makes any sense then stop what your doing and do lots of goggling on basic networking and routing and the terms being used. A functional knowledge of subnets and IP routing is required to do what your attempting to do. Its not hard but there is no "easy button / wizard" for this.

 

[palladin9479]

No need for any form of VPN period. Why they heck would you use hamachi to connect two subnets behind the same perimeter? That is like driving to the next state to get on the highway to drive to supermarket in your town.

Its rather simple really, but requires that either you use two routers or that the first router have three routing interfaces.

Router 1
Eth0 WAN
Eth1 LAN 1 -> local switch, 192.168.20.1/24 (never ever ever use 192.168.1.0/24)
Eth2 LAN 2 -> wireless AP switch, 192.168.21.1/24

Data network switch would be plugged into Eth1 on the router and all the clients would be 192.168.20.x/24 IP address's with their gateway set to 192.168.20.1. Security network switch would be plugged into Eth2 on the router and all the security devices would be set to 192.168.21.x/24 IP address's with their gateway set to 192.168.21.1. The router would know about both networks and have a default route set to the WAN next-hop router. You could get even more compact by setting up different VLAN's for each network, but your router / switch would have to be advanced enough to support it (anything with DD-WRT would work).

Using two SOHO routers is a bit more difficult (I recommend loading DD-WRT on any SOHO router).

Router 1
LAN IP set to 192.168.20.1/24
Clients using 192.168.20.100+/24 IP
Clients GW set to 192.168.20.1

Eth0 -> WAN
Eth1 port 2~X -> local switch clients / wireless devices (Wl0 is usually bridged to Eth1)
Eth1 port 1 -> Router 2 WAN port

Router 2
LAN IP set to 192.168.21.1/24
Client devices using 192.168.21.100+/24
Client GW set to 192.168.21.1

Eth0 -> Router 1 Eth1 port 1
IP set to 192.168.20.2/24
Default GW set to 192.168.20.1

Eth1 -> LAN devices / wireless devices (Wl0 is usually bridged to Eth1)


The hardest part about that is reading the routers manual and setting Router 2 to network router mode, disabling NAT and FW but leaving the routing function on. Why do people insist on using complicated methods to fixing what is essentially a simple problem. Use the KISS standard.

 

[jwhitmor]

The "office" network router is actually a box running pfSense firewall software, which is as flexible as most enterprise routers. I had not thought about adding another NIC to it, but that is a very easy thing to do.

I have no evidence that the pfSense box has ever been a choke point in the office network, (it runs on a Geode CPU using >15 watts) but I still favor segmenting the (streaming video) security camera traffic to its own LAN, and only passing alarm flags, and occasional .jpg photos through the office router to the internet. The "security" router is a Linksys W54G2 and it has a drop menu to select network router mode. I have not looked for it yet, but I am almost sure that it is equally simple to disable NAT and the firewall. If not, I have no issue with replacing it with a more capable unit.

I will try the two router plan first, and later if the office router is ever upgraded, I can look at using it alone with three NICs. It is nice having options.

Thank you for the great responses!
J.W.

 

[palladin9479]

If your main GW router is PC HW then by all means add another interface and configure that as the GW for the security network. This will completely separate that data into its own segment and won't interfere with your main office network.

 

[jwhitmor]

Yes, the main gateway router is a PC running pfSense software. I will add another gigabit NIC and give it a try. My only reservation was because the GW router PC is ultra low power. It could be easily upgraded, but a more capable PC would draw 6 to 9 times as much current, and require an upgrade to the UPS. If you ever need another firewall / router, you should consider pfSense. It has been rock stable, inexpensive, and easy to use.

Thank you again,
J.W.

 

[palladin9479]

Actually funny you mention that. At the house I'm running a Via C7 CPU in a mini-ITX case using a pico-psu and a JetWay mobo. The board has an expansion module for a daughter-board, I purchased the 3x 1000Base-TX module (for 4 gigabit Ethernet adapters). I installed CentOS 4.2 but then recompiled the Kernel with the Via C7 optimizations and PadLock encryption enabled. Striped down the box to essential services and configured it to boot to init 3 instead of init 5 (so no gui on by default). Put snort for IDS, shorewall to manage iptables FW, OpenVPN for VPN support, Webmin for remote administration (on local LAN only), and Quaga to run ospf routing between each of my remote nodes.

When I'm finished I got a bullet proof FW / GW combo that can do whatever it is I want it to do but consumes less then 40w of power at max load. Can do AES-256 encryption with 2048 bit keys in real time (padlock encryption acceleration), OpenVPN is using AES-256 and OpenSSL is configured to use padlock as the default AES engine so I get no performance penality for data encryption at 1Gbps+ speeds.

 

[palladin9479]

@ dadiggle

Read very carefully his current topology and what his end state is. "Wireless" is just a subnet off wl0 bridged to eth1 it has nothing to do with the discussion. He needs to merge two subnets into a single network topology rather then have two separate networks. What you suggested is crazy when you can just connect eth0 of the security subnet to eth2 of the router, especially that he doesn't have a SOHO device.

STOP thinking of SOHO "routers" as routers only, their multifunction devices. They are a two to three port router connected to a five port switch running linux / vms with a web interface. Once you understand this you can apply basic networking knowledge and do some pretty amazing things. A router in network speech is just a device that routes packets from one subnet to another based on a routing table, your windows PC is a fcking router.

 

[jwhitmor]

My office router / firewall is a mini-ITX board from MSI with a Geode CPU and a hardware AES encryption chip. It uses a pico-psu for power, and boots pfSense from a compact-flash drive. The MSI board only has two GB NICs stock, but there is room to plug in another if needed. Right now it goes next to a un-managed switch, which is cat-6 wired to everything but the laptops. The laptops connect through a WAP which is cabled to the switch. The office LAN is just that, workstations, scanners, printers, a server, and internet access. The pfSense box does all the routing, firewall, NAT etc. Each device has a static IP address, but DHCP for a very limited address range is enabled for visitors. It has been in use for some time now and works well.

The security LAN is "under development." It is very simple, with 8 wireless IP video cameras, a Linksys WRT54G2 wireless router / switch, and a workstation running surveillance software. The transfers are WPA2 (AES) encrypted. The obvious problem is that the workstation is on-site. If there was a break-in, it would be vulnerable if it was located.

We also own space in a secured server farm three states away from us, so the solution would be to send the security photos or video-clips there in real time. The surveillance software can also send alarm messages to a smart-phone.

Why two WAPs with two SSIDs (on different channels)? I do not want the cameras on the office wireless network. The cameras generate a lot of wireless traffic. The cameras stream to the security wireless router only, and it is hard-wired to the security workstation, where the software interprets sound and motion, and decides what is worth recording.

All of the suggestions are good. I was thinking about using sftp, to transfer the video captures to the remote server, but a VPN could be a better way. Before I get to that part of the puzzle, I have to get the security workstation a connection to the outside world. I was not clear on that point. I just said I needed to connect the two LANS. I can put two NICS in the security workstation and make the bridge through it I would guess.

I am learning a lot as I go. This is great!
J.W.

 

[jwhitmor]

I flashed the security router (Cisco WRT54G2) with dd-wrt (micro). It adds some additional features that could be useful.

 

[palladin9479]

With DD-WRT loaded you can easily switch the SOHO router into router mode without NAT or stateful FW. Plug a cable from the WAN port to a port on your user switch. Give the router's WAN interface a static IP address from the LAN subnet of the office network. You will have to inform pFsense about the additional security subnet and do a static route to it. This should get your two subnets talking to each other and access to your internet gateway device.

As for your office site data storage needs, that is something you will need to ask the camera manufacturer or OEM provider.

 

[jwhitmor]

DD-WRT adds many options to the Linksys/Cisco WRT54G2 router, and despite the many warnings about "bricking the router" on the DD-WRT site, it loaded without any problem. Thank you for the details on setting up the security router, and cabling it to the gateway-firewall router. Storage space is no problem.

Lots of good information,
Jim W.

 

[jwhitmor]

Best answer selected by jwhitmor.