Tunnel SSH and database ports via WAN2 in a dual WAN routerDual WAN Router w/Failover for < 50 IP Network RecommendationDual-WAN routerAccessing the servers via their WAN IPs from the internal network - connect them to LAN too?Bind WAN IP to LAN (under router) IISDual-port server acting as router, but LAN can't see WANRouter connect same 2 ports?exchange 2007, dual wan draytek 2925n router with 2 ISPsRouting set of users/devices through a specific WAN with a Dual WAN routerBridge multiple LAN ports to a WANDebian Server with dual LAN and WAN

Why is my log file so massive? 22gb. I am running log backups

Is Social Media Science Fiction?

How to answer pointed "are you quitting" questioning when I don't want them to suspect

What is the offset in a seaplane's hull?

What does 'script /dev/null' do?

New order #4: World

Need help identifying/translating a plaque in Tangier, Morocco

LWC and complex parameters

Was there ever an axiom rendered a theorem?

Extreme, but not acceptable situation and I can't start the work tomorrow morning

Patience, young "Padovan"

Can I legally use front facing blue light in the UK?

What are the advantages and disadvantages of running one shots compared to campaigns?

What to wear for invited talk in Canada

Lied on resume at previous job

Landlord wants to switch my lease to a "Land contract" to "get back at the city"

Calculate Levenshtein distance between two strings in Python

How to deal with fear of taking dependencies

I see my dog run

How could a lack of term limits lead to a "dictatorship?"

Is there any use for defining additional entity types in a SOQL FROM clause?

Can the Produce Flame cantrip be used to grapple, or as an unarmed strike, in the right circumstances?

Where else does the Shulchan Aruch quote an authority by name?

Is there a name of the flying bionic bird?



Tunnel SSH and database ports via WAN2 in a dual WAN router


Dual WAN Router w/Failover for < 50 IP Network RecommendationDual-WAN routerAccessing the servers via their WAN IPs from the internal network - connect them to LAN too?Bind WAN IP to LAN (under router) IISDual-port server acting as router, but LAN can't see WANRouter connect same 2 ports?exchange 2007, dual wan draytek 2925n router with 2 ISPsRouting set of users/devices through a specific WAN with a Dual WAN routerBridge multiple LAN ports to a WANDebian Server with dual LAN and WAN






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








1















ISP-A : 4mbps (1:1) fiber leased line static IP address and ISP-B : 20mbps (1:8) fiber connection with dynamic IP address.



Little context to the situation, currently we have only one ISP (ISP-A) and as the bandwidth is not sufficient for everyone (around 25people browsing & accessing AWS/Azure) so our plan is to add another ISP to our local network so that everyone can browse/mail without complaining about bandwidth issues. ISP-B costs less than ISP-A for 20mbps as it's not a 1:1 connection and they don't have any SLA with us. Our office is divided into Devs and Non Dev users.



Dev Users



  • Majority on LAN & 3 on WiFi

  • Connect to AWS/Azure (needs to be connected as a fixed IP for
    incoming firewall policies for Instances).

  • Need to browse the internet (doesn't matter if IP is fixed at this point). Most of them do SO/Git/Bitbucket/YT etc.

Non Dev Users



  • Majority on WiFi & 3 on LAN

  • Browse the internet, use mail/hangouts/skype/teamviewer and don't need any static IP for whatever they use.

Once we get the 2nd ISP-B, I would like to channel all browsing traffic to ISP-B (20mbps) & all the devs connect to AWS/Azure via ISP-A (4mbps) for SSH. So my plan was to set ISP-A as WAN1 and ISP-B as WAN2, Eg:



WAN1 172.16.0.1
WAN2 172.16.1.1


What needs to be done is, everyone uses the internet via ISP-B. Devs use SSH (Port 22), Database connections (Port 5432) and some other ports which require static IP via ISP-A.



Equipment in use



  1. CISCO SG300-58 managed switch

  2. TP-Link single WAN Router

  3. 3x Ubiquiti Unifi APs

Proposed Equipment for Purchase



  1. Ubiquiti USG-Pro4 (to do Dual WAN)

  2. 2x more Ubiquiti Unifi APs

Total Devs : 10
Total Non Devs : 25



Instead of changing their default gateway, how can I make them use the internet (Browse) via WAN2 without setting up a Proxy Server?










share|improve this question






























    1















    ISP-A : 4mbps (1:1) fiber leased line static IP address and ISP-B : 20mbps (1:8) fiber connection with dynamic IP address.



    Little context to the situation, currently we have only one ISP (ISP-A) and as the bandwidth is not sufficient for everyone (around 25people browsing & accessing AWS/Azure) so our plan is to add another ISP to our local network so that everyone can browse/mail without complaining about bandwidth issues. ISP-B costs less than ISP-A for 20mbps as it's not a 1:1 connection and they don't have any SLA with us. Our office is divided into Devs and Non Dev users.



    Dev Users



    • Majority on LAN & 3 on WiFi

    • Connect to AWS/Azure (needs to be connected as a fixed IP for
      incoming firewall policies for Instances).

    • Need to browse the internet (doesn't matter if IP is fixed at this point). Most of them do SO/Git/Bitbucket/YT etc.

    Non Dev Users



    • Majority on WiFi & 3 on LAN

    • Browse the internet, use mail/hangouts/skype/teamviewer and don't need any static IP for whatever they use.

    Once we get the 2nd ISP-B, I would like to channel all browsing traffic to ISP-B (20mbps) & all the devs connect to AWS/Azure via ISP-A (4mbps) for SSH. So my plan was to set ISP-A as WAN1 and ISP-B as WAN2, Eg:



    WAN1 172.16.0.1
    WAN2 172.16.1.1


    What needs to be done is, everyone uses the internet via ISP-B. Devs use SSH (Port 22), Database connections (Port 5432) and some other ports which require static IP via ISP-A.



    Equipment in use



    1. CISCO SG300-58 managed switch

    2. TP-Link single WAN Router

    3. 3x Ubiquiti Unifi APs

    Proposed Equipment for Purchase



    1. Ubiquiti USG-Pro4 (to do Dual WAN)

    2. 2x more Ubiquiti Unifi APs

    Total Devs : 10
    Total Non Devs : 25



    Instead of changing their default gateway, how can I make them use the internet (Browse) via WAN2 without setting up a Proxy Server?










    share|improve this question


























      1












      1








      1








      ISP-A : 4mbps (1:1) fiber leased line static IP address and ISP-B : 20mbps (1:8) fiber connection with dynamic IP address.



      Little context to the situation, currently we have only one ISP (ISP-A) and as the bandwidth is not sufficient for everyone (around 25people browsing & accessing AWS/Azure) so our plan is to add another ISP to our local network so that everyone can browse/mail without complaining about bandwidth issues. ISP-B costs less than ISP-A for 20mbps as it's not a 1:1 connection and they don't have any SLA with us. Our office is divided into Devs and Non Dev users.



      Dev Users



      • Majority on LAN & 3 on WiFi

      • Connect to AWS/Azure (needs to be connected as a fixed IP for
        incoming firewall policies for Instances).

      • Need to browse the internet (doesn't matter if IP is fixed at this point). Most of them do SO/Git/Bitbucket/YT etc.

      Non Dev Users



      • Majority on WiFi & 3 on LAN

      • Browse the internet, use mail/hangouts/skype/teamviewer and don't need any static IP for whatever they use.

      Once we get the 2nd ISP-B, I would like to channel all browsing traffic to ISP-B (20mbps) & all the devs connect to AWS/Azure via ISP-A (4mbps) for SSH. So my plan was to set ISP-A as WAN1 and ISP-B as WAN2, Eg:



      WAN1 172.16.0.1
      WAN2 172.16.1.1


      What needs to be done is, everyone uses the internet via ISP-B. Devs use SSH (Port 22), Database connections (Port 5432) and some other ports which require static IP via ISP-A.



      Equipment in use



      1. CISCO SG300-58 managed switch

      2. TP-Link single WAN Router

      3. 3x Ubiquiti Unifi APs

      Proposed Equipment for Purchase



      1. Ubiquiti USG-Pro4 (to do Dual WAN)

      2. 2x more Ubiquiti Unifi APs

      Total Devs : 10
      Total Non Devs : 25



      Instead of changing their default gateway, how can I make them use the internet (Browse) via WAN2 without setting up a Proxy Server?










      share|improve this question
















      ISP-A : 4mbps (1:1) fiber leased line static IP address and ISP-B : 20mbps (1:8) fiber connection with dynamic IP address.



      Little context to the situation, currently we have only one ISP (ISP-A) and as the bandwidth is not sufficient for everyone (around 25people browsing & accessing AWS/Azure) so our plan is to add another ISP to our local network so that everyone can browse/mail without complaining about bandwidth issues. ISP-B costs less than ISP-A for 20mbps as it's not a 1:1 connection and they don't have any SLA with us. Our office is divided into Devs and Non Dev users.



      Dev Users



      • Majority on LAN & 3 on WiFi

      • Connect to AWS/Azure (needs to be connected as a fixed IP for
        incoming firewall policies for Instances).

      • Need to browse the internet (doesn't matter if IP is fixed at this point). Most of them do SO/Git/Bitbucket/YT etc.

      Non Dev Users



      • Majority on WiFi & 3 on LAN

      • Browse the internet, use mail/hangouts/skype/teamviewer and don't need any static IP for whatever they use.

      Once we get the 2nd ISP-B, I would like to channel all browsing traffic to ISP-B (20mbps) & all the devs connect to AWS/Azure via ISP-A (4mbps) for SSH. So my plan was to set ISP-A as WAN1 and ISP-B as WAN2, Eg:



      WAN1 172.16.0.1
      WAN2 172.16.1.1


      What needs to be done is, everyone uses the internet via ISP-B. Devs use SSH (Port 22), Database connections (Port 5432) and some other ports which require static IP via ISP-A.



      Equipment in use



      1. CISCO SG300-58 managed switch

      2. TP-Link single WAN Router

      3. 3x Ubiquiti Unifi APs

      Proposed Equipment for Purchase



      1. Ubiquiti USG-Pro4 (to do Dual WAN)

      2. 2x more Ubiquiti Unifi APs

      Total Devs : 10
      Total Non Devs : 25



      Instead of changing their default gateway, how can I make them use the internet (Browse) via WAN2 without setting up a Proxy Server?







      local-area-network internet gateway wide-area-network unifi






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Apr 5 at 5:19







      user2967920

















      asked May 3 '17 at 7:11









      user2967920user2967920

      165




      165




















          2 Answers
          2






          active

          oldest

          votes


















          1














          So I got this done using a USG-Pro-4.



          A custom rule needs to be implemented for this via SSH as the UI for it is not complete at this stage to manage these rules.



          The idea is to Send port 22,5432 out via WAN2 and keep Internet traffic on WAN1.



          Equipment



          1. Cisco-SG300-52 - Doing DHCP - 172.16.0.1

          2. Unifi USG-Pro-4 - Dual WAN Router on - 172.16.0.5/16

            1. WAN1 : Fiber mux on 192.168.1.2

            2. WAN2 : - Fiber to LAN media converter on 192.168.2.1


          3. Unifi AP - 3x Nos, get addresses via DHCP, unifi controller is used to manage groups/SSID etc.

          Overview of implementation



          • LAN1 : 172.16.0.0/16

          • WAN1 : 192.168.1.2/29 Gateway : 192.168.1.1

          • WAN2 : 192.168.2.2/29 Gateway : 192.168.2.1

          All traffic going from LAN1 out on port 22 and 5432 is sent out via WAN2 using the following rule on the USG-Pro-4, this allows browing to happen via the 20mbps line and all Database related work and SSH to happen via WAN2 (Static IP).



          Example Configuration for the USG-Pro-4



          configure
          set protocols static table 1 route 0.0.0.0/0 next-hop 192.168.2.1
          set firewall modify LOAD_BALANCE rule 2950 action modify
          set firewall modify LOAD_BALANCE rule 2950 modify table 1
          set firewall modify LOAD_BALANCE rule 2950 source address 172.16.0.0/16
          set firewall modify LOAD_BALANCE rule 2950 destination port 22
          set firewall modify LOAD_BALANCE rule 2950 protocol tcp
          commit
          save


          You can use this Link to access the entire thread for configuration. A big tank you to UBNT-jaffe.






          share|improve this answer
































            0














            There is no easy way to split the internet in half without also splitting your networks in half. Good news is that this sounds pretty much like what you were expecting to have to do anyway.



            If you have VLAN100 set to use ISP A and VLAN200 set to use ISP B, then you can do inter-vlan routing to get full LAN access for both networks, and set your default gateways to the respective ISPs to control the internet access.



            Now, if you wanted to do this so that all of your developers and non-developers were on the correct VLANs regardless of whether they were plugged in or on WiFi, there are multiple ways of achieving this.



            For your WiFi, you could use WPA2-Enterprise authentication with a RADIUS server that specifies which vlan to put the user on. Essentially instead of having the same shared key to connect to the WiFi, users connect with a username and password. The username they provide indicates which VLAN they will be put onto. Ubiquiti UniFi (good choice, btw) can absolutely do this.



            The other option for WiFi would just be to have two SSIDs, one on each VLAN, and you just instruct your staff to connect to one or the other. UniFi can also do this very easily.



            For your wired connections, you can use 802.1x port-based network access control. Essentially this is similar to WPA2-enterprise. When a user plugs into the network, the operating system detects that you need to do 802.1x authentication and prompts the user for a network username/password (or it passes one through in the case of Active Directory and Windows). Once authenticated, 802.1x will put the user on the appropriate VLAN. This way users can plug in wherever they want and still end up on the right network.



            The other option, if your users are static, is to just manually assign port-based VLANs to their ethernet port and that way anyone who sits down and plugs into a given port will end up on one of the two networks.




            With this setup, the devs would connect to AWS/Azure directly via Terminal/Putty without any issues but they would also browse via the same gateway which would be slower.




            This is a difficult problem to overcome. If you have a very specific set of IP addresses you are connecting to, then some routing rules could come in handy. But what tends to happen then is if you have a basic SPI firewall they will often drop the return connections because they didn't see them get initiated (asynchronous routing).



            But it sounds like the devs are not going to be any worse off than they are now. Right now you're shoving 35 people down the one 4Mbps pipe. Now you're only shoving 10 people down that pipe, so it might still be a win.






            share|improve this answer























            • Hey Shannon, I managed to solve the issue above. Really appreciate your thoughts.

              – user2967920
              Jun 22 '17 at 9:18











            Your Answer








            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "2"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f847927%2ftunnel-ssh-and-database-ports-via-wan2-in-a-dual-wan-router%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            1














            So I got this done using a USG-Pro-4.



            A custom rule needs to be implemented for this via SSH as the UI for it is not complete at this stage to manage these rules.



            The idea is to Send port 22,5432 out via WAN2 and keep Internet traffic on WAN1.



            Equipment



            1. Cisco-SG300-52 - Doing DHCP - 172.16.0.1

            2. Unifi USG-Pro-4 - Dual WAN Router on - 172.16.0.5/16

              1. WAN1 : Fiber mux on 192.168.1.2

              2. WAN2 : - Fiber to LAN media converter on 192.168.2.1


            3. Unifi AP - 3x Nos, get addresses via DHCP, unifi controller is used to manage groups/SSID etc.

            Overview of implementation



            • LAN1 : 172.16.0.0/16

            • WAN1 : 192.168.1.2/29 Gateway : 192.168.1.1

            • WAN2 : 192.168.2.2/29 Gateway : 192.168.2.1

            All traffic going from LAN1 out on port 22 and 5432 is sent out via WAN2 using the following rule on the USG-Pro-4, this allows browing to happen via the 20mbps line and all Database related work and SSH to happen via WAN2 (Static IP).



            Example Configuration for the USG-Pro-4



            configure
            set protocols static table 1 route 0.0.0.0/0 next-hop 192.168.2.1
            set firewall modify LOAD_BALANCE rule 2950 action modify
            set firewall modify LOAD_BALANCE rule 2950 modify table 1
            set firewall modify LOAD_BALANCE rule 2950 source address 172.16.0.0/16
            set firewall modify LOAD_BALANCE rule 2950 destination port 22
            set firewall modify LOAD_BALANCE rule 2950 protocol tcp
            commit
            save


            You can use this Link to access the entire thread for configuration. A big tank you to UBNT-jaffe.






            share|improve this answer





























              1














              So I got this done using a USG-Pro-4.



              A custom rule needs to be implemented for this via SSH as the UI for it is not complete at this stage to manage these rules.



              The idea is to Send port 22,5432 out via WAN2 and keep Internet traffic on WAN1.



              Equipment



              1. Cisco-SG300-52 - Doing DHCP - 172.16.0.1

              2. Unifi USG-Pro-4 - Dual WAN Router on - 172.16.0.5/16

                1. WAN1 : Fiber mux on 192.168.1.2

                2. WAN2 : - Fiber to LAN media converter on 192.168.2.1


              3. Unifi AP - 3x Nos, get addresses via DHCP, unifi controller is used to manage groups/SSID etc.

              Overview of implementation



              • LAN1 : 172.16.0.0/16

              • WAN1 : 192.168.1.2/29 Gateway : 192.168.1.1

              • WAN2 : 192.168.2.2/29 Gateway : 192.168.2.1

              All traffic going from LAN1 out on port 22 and 5432 is sent out via WAN2 using the following rule on the USG-Pro-4, this allows browing to happen via the 20mbps line and all Database related work and SSH to happen via WAN2 (Static IP).



              Example Configuration for the USG-Pro-4



              configure
              set protocols static table 1 route 0.0.0.0/0 next-hop 192.168.2.1
              set firewall modify LOAD_BALANCE rule 2950 action modify
              set firewall modify LOAD_BALANCE rule 2950 modify table 1
              set firewall modify LOAD_BALANCE rule 2950 source address 172.16.0.0/16
              set firewall modify LOAD_BALANCE rule 2950 destination port 22
              set firewall modify LOAD_BALANCE rule 2950 protocol tcp
              commit
              save


              You can use this Link to access the entire thread for configuration. A big tank you to UBNT-jaffe.






              share|improve this answer



























                1












                1








                1







                So I got this done using a USG-Pro-4.



                A custom rule needs to be implemented for this via SSH as the UI for it is not complete at this stage to manage these rules.



                The idea is to Send port 22,5432 out via WAN2 and keep Internet traffic on WAN1.



                Equipment



                1. Cisco-SG300-52 - Doing DHCP - 172.16.0.1

                2. Unifi USG-Pro-4 - Dual WAN Router on - 172.16.0.5/16

                  1. WAN1 : Fiber mux on 192.168.1.2

                  2. WAN2 : - Fiber to LAN media converter on 192.168.2.1


                3. Unifi AP - 3x Nos, get addresses via DHCP, unifi controller is used to manage groups/SSID etc.

                Overview of implementation



                • LAN1 : 172.16.0.0/16

                • WAN1 : 192.168.1.2/29 Gateway : 192.168.1.1

                • WAN2 : 192.168.2.2/29 Gateway : 192.168.2.1

                All traffic going from LAN1 out on port 22 and 5432 is sent out via WAN2 using the following rule on the USG-Pro-4, this allows browing to happen via the 20mbps line and all Database related work and SSH to happen via WAN2 (Static IP).



                Example Configuration for the USG-Pro-4



                configure
                set protocols static table 1 route 0.0.0.0/0 next-hop 192.168.2.1
                set firewall modify LOAD_BALANCE rule 2950 action modify
                set firewall modify LOAD_BALANCE rule 2950 modify table 1
                set firewall modify LOAD_BALANCE rule 2950 source address 172.16.0.0/16
                set firewall modify LOAD_BALANCE rule 2950 destination port 22
                set firewall modify LOAD_BALANCE rule 2950 protocol tcp
                commit
                save


                You can use this Link to access the entire thread for configuration. A big tank you to UBNT-jaffe.






                share|improve this answer















                So I got this done using a USG-Pro-4.



                A custom rule needs to be implemented for this via SSH as the UI for it is not complete at this stage to manage these rules.



                The idea is to Send port 22,5432 out via WAN2 and keep Internet traffic on WAN1.



                Equipment



                1. Cisco-SG300-52 - Doing DHCP - 172.16.0.1

                2. Unifi USG-Pro-4 - Dual WAN Router on - 172.16.0.5/16

                  1. WAN1 : Fiber mux on 192.168.1.2

                  2. WAN2 : - Fiber to LAN media converter on 192.168.2.1


                3. Unifi AP - 3x Nos, get addresses via DHCP, unifi controller is used to manage groups/SSID etc.

                Overview of implementation



                • LAN1 : 172.16.0.0/16

                • WAN1 : 192.168.1.2/29 Gateway : 192.168.1.1

                • WAN2 : 192.168.2.2/29 Gateway : 192.168.2.1

                All traffic going from LAN1 out on port 22 and 5432 is sent out via WAN2 using the following rule on the USG-Pro-4, this allows browing to happen via the 20mbps line and all Database related work and SSH to happen via WAN2 (Static IP).



                Example Configuration for the USG-Pro-4



                configure
                set protocols static table 1 route 0.0.0.0/0 next-hop 192.168.2.1
                set firewall modify LOAD_BALANCE rule 2950 action modify
                set firewall modify LOAD_BALANCE rule 2950 modify table 1
                set firewall modify LOAD_BALANCE rule 2950 source address 172.16.0.0/16
                set firewall modify LOAD_BALANCE rule 2950 destination port 22
                set firewall modify LOAD_BALANCE rule 2950 protocol tcp
                commit
                save


                You can use this Link to access the entire thread for configuration. A big tank you to UBNT-jaffe.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Jun 22 '17 at 9:29

























                answered Jun 22 '17 at 9:14









                user2967920user2967920

                165




                165























                    0














                    There is no easy way to split the internet in half without also splitting your networks in half. Good news is that this sounds pretty much like what you were expecting to have to do anyway.



                    If you have VLAN100 set to use ISP A and VLAN200 set to use ISP B, then you can do inter-vlan routing to get full LAN access for both networks, and set your default gateways to the respective ISPs to control the internet access.



                    Now, if you wanted to do this so that all of your developers and non-developers were on the correct VLANs regardless of whether they were plugged in or on WiFi, there are multiple ways of achieving this.



                    For your WiFi, you could use WPA2-Enterprise authentication with a RADIUS server that specifies which vlan to put the user on. Essentially instead of having the same shared key to connect to the WiFi, users connect with a username and password. The username they provide indicates which VLAN they will be put onto. Ubiquiti UniFi (good choice, btw) can absolutely do this.



                    The other option for WiFi would just be to have two SSIDs, one on each VLAN, and you just instruct your staff to connect to one or the other. UniFi can also do this very easily.



                    For your wired connections, you can use 802.1x port-based network access control. Essentially this is similar to WPA2-enterprise. When a user plugs into the network, the operating system detects that you need to do 802.1x authentication and prompts the user for a network username/password (or it passes one through in the case of Active Directory and Windows). Once authenticated, 802.1x will put the user on the appropriate VLAN. This way users can plug in wherever they want and still end up on the right network.



                    The other option, if your users are static, is to just manually assign port-based VLANs to their ethernet port and that way anyone who sits down and plugs into a given port will end up on one of the two networks.




                    With this setup, the devs would connect to AWS/Azure directly via Terminal/Putty without any issues but they would also browse via the same gateway which would be slower.




                    This is a difficult problem to overcome. If you have a very specific set of IP addresses you are connecting to, then some routing rules could come in handy. But what tends to happen then is if you have a basic SPI firewall they will often drop the return connections because they didn't see them get initiated (asynchronous routing).



                    But it sounds like the devs are not going to be any worse off than they are now. Right now you're shoving 35 people down the one 4Mbps pipe. Now you're only shoving 10 people down that pipe, so it might still be a win.






                    share|improve this answer























                    • Hey Shannon, I managed to solve the issue above. Really appreciate your thoughts.

                      – user2967920
                      Jun 22 '17 at 9:18















                    0














                    There is no easy way to split the internet in half without also splitting your networks in half. Good news is that this sounds pretty much like what you were expecting to have to do anyway.



                    If you have VLAN100 set to use ISP A and VLAN200 set to use ISP B, then you can do inter-vlan routing to get full LAN access for both networks, and set your default gateways to the respective ISPs to control the internet access.



                    Now, if you wanted to do this so that all of your developers and non-developers were on the correct VLANs regardless of whether they were plugged in or on WiFi, there are multiple ways of achieving this.



                    For your WiFi, you could use WPA2-Enterprise authentication with a RADIUS server that specifies which vlan to put the user on. Essentially instead of having the same shared key to connect to the WiFi, users connect with a username and password. The username they provide indicates which VLAN they will be put onto. Ubiquiti UniFi (good choice, btw) can absolutely do this.



                    The other option for WiFi would just be to have two SSIDs, one on each VLAN, and you just instruct your staff to connect to one or the other. UniFi can also do this very easily.



                    For your wired connections, you can use 802.1x port-based network access control. Essentially this is similar to WPA2-enterprise. When a user plugs into the network, the operating system detects that you need to do 802.1x authentication and prompts the user for a network username/password (or it passes one through in the case of Active Directory and Windows). Once authenticated, 802.1x will put the user on the appropriate VLAN. This way users can plug in wherever they want and still end up on the right network.



                    The other option, if your users are static, is to just manually assign port-based VLANs to their ethernet port and that way anyone who sits down and plugs into a given port will end up on one of the two networks.




                    With this setup, the devs would connect to AWS/Azure directly via Terminal/Putty without any issues but they would also browse via the same gateway which would be slower.




                    This is a difficult problem to overcome. If you have a very specific set of IP addresses you are connecting to, then some routing rules could come in handy. But what tends to happen then is if you have a basic SPI firewall they will often drop the return connections because they didn't see them get initiated (asynchronous routing).



                    But it sounds like the devs are not going to be any worse off than they are now. Right now you're shoving 35 people down the one 4Mbps pipe. Now you're only shoving 10 people down that pipe, so it might still be a win.






                    share|improve this answer























                    • Hey Shannon, I managed to solve the issue above. Really appreciate your thoughts.

                      – user2967920
                      Jun 22 '17 at 9:18













                    0












                    0








                    0







                    There is no easy way to split the internet in half without also splitting your networks in half. Good news is that this sounds pretty much like what you were expecting to have to do anyway.



                    If you have VLAN100 set to use ISP A and VLAN200 set to use ISP B, then you can do inter-vlan routing to get full LAN access for both networks, and set your default gateways to the respective ISPs to control the internet access.



                    Now, if you wanted to do this so that all of your developers and non-developers were on the correct VLANs regardless of whether they were plugged in or on WiFi, there are multiple ways of achieving this.



                    For your WiFi, you could use WPA2-Enterprise authentication with a RADIUS server that specifies which vlan to put the user on. Essentially instead of having the same shared key to connect to the WiFi, users connect with a username and password. The username they provide indicates which VLAN they will be put onto. Ubiquiti UniFi (good choice, btw) can absolutely do this.



                    The other option for WiFi would just be to have two SSIDs, one on each VLAN, and you just instruct your staff to connect to one or the other. UniFi can also do this very easily.



                    For your wired connections, you can use 802.1x port-based network access control. Essentially this is similar to WPA2-enterprise. When a user plugs into the network, the operating system detects that you need to do 802.1x authentication and prompts the user for a network username/password (or it passes one through in the case of Active Directory and Windows). Once authenticated, 802.1x will put the user on the appropriate VLAN. This way users can plug in wherever they want and still end up on the right network.



                    The other option, if your users are static, is to just manually assign port-based VLANs to their ethernet port and that way anyone who sits down and plugs into a given port will end up on one of the two networks.




                    With this setup, the devs would connect to AWS/Azure directly via Terminal/Putty without any issues but they would also browse via the same gateway which would be slower.




                    This is a difficult problem to overcome. If you have a very specific set of IP addresses you are connecting to, then some routing rules could come in handy. But what tends to happen then is if you have a basic SPI firewall they will often drop the return connections because they didn't see them get initiated (asynchronous routing).



                    But it sounds like the devs are not going to be any worse off than they are now. Right now you're shoving 35 people down the one 4Mbps pipe. Now you're only shoving 10 people down that pipe, so it might still be a win.






                    share|improve this answer













                    There is no easy way to split the internet in half without also splitting your networks in half. Good news is that this sounds pretty much like what you were expecting to have to do anyway.



                    If you have VLAN100 set to use ISP A and VLAN200 set to use ISP B, then you can do inter-vlan routing to get full LAN access for both networks, and set your default gateways to the respective ISPs to control the internet access.



                    Now, if you wanted to do this so that all of your developers and non-developers were on the correct VLANs regardless of whether they were plugged in or on WiFi, there are multiple ways of achieving this.



                    For your WiFi, you could use WPA2-Enterprise authentication with a RADIUS server that specifies which vlan to put the user on. Essentially instead of having the same shared key to connect to the WiFi, users connect with a username and password. The username they provide indicates which VLAN they will be put onto. Ubiquiti UniFi (good choice, btw) can absolutely do this.



                    The other option for WiFi would just be to have two SSIDs, one on each VLAN, and you just instruct your staff to connect to one or the other. UniFi can also do this very easily.



                    For your wired connections, you can use 802.1x port-based network access control. Essentially this is similar to WPA2-enterprise. When a user plugs into the network, the operating system detects that you need to do 802.1x authentication and prompts the user for a network username/password (or it passes one through in the case of Active Directory and Windows). Once authenticated, 802.1x will put the user on the appropriate VLAN. This way users can plug in wherever they want and still end up on the right network.



                    The other option, if your users are static, is to just manually assign port-based VLANs to their ethernet port and that way anyone who sits down and plugs into a given port will end up on one of the two networks.




                    With this setup, the devs would connect to AWS/Azure directly via Terminal/Putty without any issues but they would also browse via the same gateway which would be slower.




                    This is a difficult problem to overcome. If you have a very specific set of IP addresses you are connecting to, then some routing rules could come in handy. But what tends to happen then is if you have a basic SPI firewall they will often drop the return connections because they didn't see them get initiated (asynchronous routing).



                    But it sounds like the devs are not going to be any worse off than they are now. Right now you're shoving 35 people down the one 4Mbps pipe. Now you're only shoving 10 people down that pipe, so it might still be a win.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered May 3 '17 at 10:01









                    Mark HendersonMark Henderson

                    61.3k29163247




                    61.3k29163247












                    • Hey Shannon, I managed to solve the issue above. Really appreciate your thoughts.

                      – user2967920
                      Jun 22 '17 at 9:18

















                    • Hey Shannon, I managed to solve the issue above. Really appreciate your thoughts.

                      – user2967920
                      Jun 22 '17 at 9:18
















                    Hey Shannon, I managed to solve the issue above. Really appreciate your thoughts.

                    – user2967920
                    Jun 22 '17 at 9:18





                    Hey Shannon, I managed to solve the issue above. Really appreciate your thoughts.

                    – user2967920
                    Jun 22 '17 at 9:18

















                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Server Fault!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f847927%2ftunnel-ssh-and-database-ports-via-wan2-in-a-dual-wan-router%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

                    Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070

                    Cegueira Índice Epidemioloxía | Deficiencia visual | Tipos de cegueira | Principais causas de cegueira | Tratamento | Técnicas de adaptación e axudas | Vida dos cegos | Primeiros auxilios | Crenzas respecto das persoas cegas | Crenzas das persoas cegas | O neno deficiente visual | Aspectos psicolóxicos da cegueira | Notas | Véxase tamén | Menú de navegación54.054.154.436928256blindnessDicionario da Real Academia GalegaPortal das Palabras"International Standards: Visual Standards — Aspects and Ranges of Vision Loss with Emphasis on Population Surveys.""Visual impairment and blindness""Presentan un plan para previr a cegueira"o orixinalACCDV Associació Catalana de Cecs i Disminuïts Visuals - PMFTrachoma"Effect of gene therapy on visual function in Leber's congenital amaurosis"1844137110.1056/NEJMoa0802268Cans guía - os mellores amigos dos cegosArquivadoEscola de cans guía para cegos en Mortágua, PortugalArquivado"Tecnología para ciegos y deficientes visuales. Recopilación de recursos gratuitos en la Red""Colorino""‘COL.diesis’, escuchar los sonidos del color""COL.diesis: Transforming Colour into Melody and Implementing the Result in a Colour Sensor Device"o orixinal"Sistema de desarrollo de sinestesia color-sonido para invidentes utilizando un protocolo de audio""Enseñanza táctil - geometría y color. Juegos didácticos para niños ciegos y videntes""Sistema Constanz"L'ocupació laboral dels cecs a l'Estat espanyol està pràcticament equiparada a la de les persones amb visió, entrevista amb Pedro ZuritaONCE (Organización Nacional de Cegos de España)Prevención da cegueiraDescrición de deficiencias visuais (Disc@pnet)Braillín, un boneco atractivo para calquera neno, con ou sen discapacidade, que permite familiarizarse co sistema de escritura e lectura brailleAxudas Técnicas36838ID00897494007150-90057129528256DOID:1432HP:0000618D001766C10.597.751.941.162C97109C0155020