(please disregard my other post, this is the correct one)
OK, I'll try and explain this simply. We have 2 DHCP controlled networks at our work:
Network 1: Transparent EOC connection to Internet. Directly behind the EOC box is a router using a static (WAN) address provided from our ISP. Internally, the router uses DHCP (LAN) to manage a 192.168.1.x network. All computers on this network are using 192.168.1.x addresses via DHCP from that router - (rather, they should be). We use this for Internet access, office computers, a POS server and our POS systems. Mostly windows xp and some win 7 systems. Server is Windows 2008 server, but is not controlling DHCP nor a domain. It's just a Win 2008 computer on the network running as a "virtual box" on a VMware-based server.
Network 2: Comes in on a separate DSL line. This DSL modem is set up as a bridge. The router behind the bridge is using a static IP block (8 static IP addresses, 5 usable) from our ISP. Internally, this router uses DHCP (LAN) to manage a 175.69.10.x network (or some address similar to that). All machines on this network are using 175.69.10.x addresses via DHCP from the 2nd router. There is external VPN access to this network via one of the static IP addresses. This is routed correctly. This is Primarily a Linux network controlling several linux based machines.
So, someone decided to "bridge" these two networks by simply plugging each network into the same central switch via Cat 5 cable.
Bad idea, and now I need to fix it.
The first problem we had (of course) was that the DHCP servers conflicted immediately, so we had to set half of this "mongrel" network to static IPs like 192.168.1.x, and the other computers are getting their addresses via DHCP from the 176.68.1.x network router.
This works - badly. The second router keeps "resetting" the network, causing IP address problems on the first network, screwing up our POS system in the process. But we still need to access the linux machines on network 2 (via http) from the machines on network 1.
I am thinking the solution to this issue is to place a 3rd router as a bridge between the two networks. Is this correct?
The goal is to be able to be sitting at machine 192.168.1.x on one network, open a web browser, type in a 175.69.10.x address on the other network and have the linux web-based application come up from the machine on the second network. (We may need more services bridged besides just http.)
Possible? If so, how would this be set up correctly?
Putting both networks on the EOC connection controlled by a single router is NOT an option.
Yes, in the broadest sense of the word, you need a router. A device that allows an orderly transition between the two networks. But your typical consumer/small-business grade router divides the world between WAN and LAN, which implies a one-way value; all traffic leaving the LAN is allowed out by default, all traffic coming in from the WAN is blocked. So the building blocks are there, but the behavior is not quite right. We want routing between “peers”, LAN to LAN.
What you really need is a managed switch, something that will allow the definition of VLANs, one for each network, and route between them, while using firewall rules to prevent the passing of specific traffic/protocols (the most obvious being DHCP).
Here again is where your consumer/small-business grade router comes up short. You typically have limited control of the firewall. And NAT is often the default and perhaps can’t be disabled. It’s just a difficult device to work with UNLESS it’s say, a dd-wrt compatible router. Now you can do things like disable NAT, alter the firewall rules at the command line, even define/use VLANs, effectively turning the router into that managed switch!
However you implement it, it all comes down to the same concept; routing between the networks in a controlled manner, the control being primarily a firewall.
Finally, once you have this router configured and installed, you’ll need to update the routing tables on each gateway so they know how to find the other network (or else they’d simply route it out their respective WANs!).
And I set up "VLANs" on this piece of hardware. I think I can figure that out.
However, the last thing you suggested is that I need to set the other two routers to NOT let traffic destined for the other network out through the WAN connection. Is there a way to direct this traffic? In other words, will there be routable IP addresses on the VLANs in the 3rd router? I just need to conceptualize what's going on there.
I can’t make specific recommendations since these devices vary as to capabilities and features. You’d minimally need a layer 3 managed switch, one that supported interVLAN IP routing. These are just things you’d have to research.
By keeping both networks connected to a managed switch, each w/ its own VLAN, all ethernet traffic/broadcasts will remain confined to their respective networks. And since DHCP works at the ethernet level, that solves the DHCP server problem.
As I thought more about it, I was concerned a new technology like the managed switch might prove a bit too much. A network professional would probably take this approach. But for simplicity sake (and even cost savings), you could just use two additional routers as gateways between the LANs.
Perhaps a bit ungainly, but it’s simple and works w/ virtually any off-the-shelf routers (perhaps something you already have). And in the meantime, if you’d prefer something else for the long haul, you could research it.
If it has one negative, it’s that each network has unfettered access to the other at the IP level (perhaps what you want anyway). For a more restrictive relationship, you could connect them WAN to WAN. Now each is firewall’d from the other by default, and you decide what to allow between them explicitly.
NOTE: Each router would need a static IP on its own network and have its own DHCP server disabled.
Anyway, just some more options to consider.
Regarding the WAN…
Any IP address that’s lies outside the local network is sent to the default gateway (normally your primary router), which then routes it over the WAN to the ISP. But in the case of traffic destined to the other local network, you have a gateway specifically for that purpose. Only problem is, neither the clients nor your router know it! You tell them either on individual clients by updating their local routing table, OR, updating your primary router’s local routing table (the latter being much preferred, assuming it has that feature).