Tunnel SSH and database ports via WAN2 in a dual WAN routerDual WAN Router w/Failover for < 50 IP Network RecommendationDual-WAN routerAccessing the servers via their WAN IPs from the internal network - connect them to LAN too?Bind WAN IP to LAN (under router) IISDual-port server acting as router, but LAN can't see WANRouter connect same 2 ports?exchange 2007, dual wan draytek 2925n router with 2 ISPsRouting set of users/devices through a specific WAN with a Dual WAN routerBridge multiple LAN ports to a WANDebian Server with dual LAN and WAN
Why is my log file so massive? 22gb. I am running log backups
Is Social Media Science Fiction?
How to answer pointed "are you quitting" questioning when I don't want them to suspect
What is the offset in a seaplane's hull?
What does 'script /dev/null' do?
New order #4: World
Need help identifying/translating a plaque in Tangier, Morocco
LWC and complex parameters
Was there ever an axiom rendered a theorem?
Extreme, but not acceptable situation and I can't start the work tomorrow morning
Patience, young "Padovan"
Can I legally use front facing blue light in the UK?
What are the advantages and disadvantages of running one shots compared to campaigns?
What to wear for invited talk in Canada
Lied on resume at previous job
Landlord wants to switch my lease to a "Land contract" to "get back at the city"
Calculate Levenshtein distance between two strings in Python
How to deal with fear of taking dependencies
I see my dog run
How could a lack of term limits lead to a "dictatorship?"
Is there any use for defining additional entity types in a SOQL FROM clause?
Can the Produce Flame cantrip be used to grapple, or as an unarmed strike, in the right circumstances?
Where else does the Shulchan Aruch quote an authority by name?
Is there a name of the flying bionic bird?
Tunnel SSH and database ports via WAN2 in a dual WAN router
Dual WAN Router w/Failover for < 50 IP Network RecommendationDual-WAN routerAccessing the servers via their WAN IPs from the internal network - connect them to LAN too?Bind WAN IP to LAN (under router) IISDual-port server acting as router, but LAN can't see WANRouter connect same 2 ports?exchange 2007, dual wan draytek 2925n router with 2 ISPsRouting set of users/devices through a specific WAN with a Dual WAN routerBridge multiple LAN ports to a WANDebian Server with dual LAN and WAN
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
ISP-A : 4mbps (1:1) fiber leased line static IP address and ISP-B : 20mbps (1:8) fiber connection with dynamic IP address.
Little context to the situation, currently we have only one ISP (ISP-A) and as the bandwidth is not sufficient for everyone (around 25people browsing & accessing AWS/Azure) so our plan is to add another ISP to our local network so that everyone can browse/mail without complaining about bandwidth issues. ISP-B costs less than ISP-A for 20mbps as it's not a 1:1 connection and they don't have any SLA with us. Our office is divided into Devs and Non Dev users.
Dev Users
- Majority on LAN & 3 on WiFi
- Connect to AWS/Azure (needs to be connected as a fixed IP for
incoming firewall policies for Instances). - Need to browse the internet (doesn't matter if IP is fixed at this point). Most of them do SO/Git/Bitbucket/YT etc.
Non Dev Users
- Majority on WiFi & 3 on LAN
- Browse the internet, use mail/hangouts/skype/teamviewer and don't need any static IP for whatever they use.
Once we get the 2nd ISP-B, I would like to channel all browsing traffic to ISP-B (20mbps) & all the devs connect to AWS/Azure via ISP-A (4mbps) for SSH. So my plan was to set ISP-A as WAN1 and ISP-B as WAN2, Eg:
WAN1 172.16.0.1
WAN2 172.16.1.1
What needs to be done is, everyone uses the internet via ISP-B. Devs use SSH (Port 22), Database connections (Port 5432) and some other ports which require static IP via ISP-A.
Equipment in use
- CISCO SG300-58 managed switch
- TP-Link single WAN Router
- 3x Ubiquiti Unifi APs
Proposed Equipment for Purchase
- Ubiquiti USG-Pro4 (to do Dual WAN)
- 2x more Ubiquiti Unifi APs
Total Devs : 10
Total Non Devs : 25
Instead of changing their default gateway, how can I make them use the internet (Browse) via WAN2 without setting up a Proxy Server?
local-area-network internet gateway wide-area-network unifi
add a comment |
ISP-A : 4mbps (1:1) fiber leased line static IP address and ISP-B : 20mbps (1:8) fiber connection with dynamic IP address.
Little context to the situation, currently we have only one ISP (ISP-A) and as the bandwidth is not sufficient for everyone (around 25people browsing & accessing AWS/Azure) so our plan is to add another ISP to our local network so that everyone can browse/mail without complaining about bandwidth issues. ISP-B costs less than ISP-A for 20mbps as it's not a 1:1 connection and they don't have any SLA with us. Our office is divided into Devs and Non Dev users.
Dev Users
- Majority on LAN & 3 on WiFi
- Connect to AWS/Azure (needs to be connected as a fixed IP for
incoming firewall policies for Instances). - Need to browse the internet (doesn't matter if IP is fixed at this point). Most of them do SO/Git/Bitbucket/YT etc.
Non Dev Users
- Majority on WiFi & 3 on LAN
- Browse the internet, use mail/hangouts/skype/teamviewer and don't need any static IP for whatever they use.
Once we get the 2nd ISP-B, I would like to channel all browsing traffic to ISP-B (20mbps) & all the devs connect to AWS/Azure via ISP-A (4mbps) for SSH. So my plan was to set ISP-A as WAN1 and ISP-B as WAN2, Eg:
WAN1 172.16.0.1
WAN2 172.16.1.1
What needs to be done is, everyone uses the internet via ISP-B. Devs use SSH (Port 22), Database connections (Port 5432) and some other ports which require static IP via ISP-A.
Equipment in use
- CISCO SG300-58 managed switch
- TP-Link single WAN Router
- 3x Ubiquiti Unifi APs
Proposed Equipment for Purchase
- Ubiquiti USG-Pro4 (to do Dual WAN)
- 2x more Ubiquiti Unifi APs
Total Devs : 10
Total Non Devs : 25
Instead of changing their default gateway, how can I make them use the internet (Browse) via WAN2 without setting up a Proxy Server?
local-area-network internet gateway wide-area-network unifi
add a comment |
ISP-A : 4mbps (1:1) fiber leased line static IP address and ISP-B : 20mbps (1:8) fiber connection with dynamic IP address.
Little context to the situation, currently we have only one ISP (ISP-A) and as the bandwidth is not sufficient for everyone (around 25people browsing & accessing AWS/Azure) so our plan is to add another ISP to our local network so that everyone can browse/mail without complaining about bandwidth issues. ISP-B costs less than ISP-A for 20mbps as it's not a 1:1 connection and they don't have any SLA with us. Our office is divided into Devs and Non Dev users.
Dev Users
- Majority on LAN & 3 on WiFi
- Connect to AWS/Azure (needs to be connected as a fixed IP for
incoming firewall policies for Instances). - Need to browse the internet (doesn't matter if IP is fixed at this point). Most of them do SO/Git/Bitbucket/YT etc.
Non Dev Users
- Majority on WiFi & 3 on LAN
- Browse the internet, use mail/hangouts/skype/teamviewer and don't need any static IP for whatever they use.
Once we get the 2nd ISP-B, I would like to channel all browsing traffic to ISP-B (20mbps) & all the devs connect to AWS/Azure via ISP-A (4mbps) for SSH. So my plan was to set ISP-A as WAN1 and ISP-B as WAN2, Eg:
WAN1 172.16.0.1
WAN2 172.16.1.1
What needs to be done is, everyone uses the internet via ISP-B. Devs use SSH (Port 22), Database connections (Port 5432) and some other ports which require static IP via ISP-A.
Equipment in use
- CISCO SG300-58 managed switch
- TP-Link single WAN Router
- 3x Ubiquiti Unifi APs
Proposed Equipment for Purchase
- Ubiquiti USG-Pro4 (to do Dual WAN)
- 2x more Ubiquiti Unifi APs
Total Devs : 10
Total Non Devs : 25
Instead of changing their default gateway, how can I make them use the internet (Browse) via WAN2 without setting up a Proxy Server?
local-area-network internet gateway wide-area-network unifi
ISP-A : 4mbps (1:1) fiber leased line static IP address and ISP-B : 20mbps (1:8) fiber connection with dynamic IP address.
Little context to the situation, currently we have only one ISP (ISP-A) and as the bandwidth is not sufficient for everyone (around 25people browsing & accessing AWS/Azure) so our plan is to add another ISP to our local network so that everyone can browse/mail without complaining about bandwidth issues. ISP-B costs less than ISP-A for 20mbps as it's not a 1:1 connection and they don't have any SLA with us. Our office is divided into Devs and Non Dev users.
Dev Users
- Majority on LAN & 3 on WiFi
- Connect to AWS/Azure (needs to be connected as a fixed IP for
incoming firewall policies for Instances). - Need to browse the internet (doesn't matter if IP is fixed at this point). Most of them do SO/Git/Bitbucket/YT etc.
Non Dev Users
- Majority on WiFi & 3 on LAN
- Browse the internet, use mail/hangouts/skype/teamviewer and don't need any static IP for whatever they use.
Once we get the 2nd ISP-B, I would like to channel all browsing traffic to ISP-B (20mbps) & all the devs connect to AWS/Azure via ISP-A (4mbps) for SSH. So my plan was to set ISP-A as WAN1 and ISP-B as WAN2, Eg:
WAN1 172.16.0.1
WAN2 172.16.1.1
What needs to be done is, everyone uses the internet via ISP-B. Devs use SSH (Port 22), Database connections (Port 5432) and some other ports which require static IP via ISP-A.
Equipment in use
- CISCO SG300-58 managed switch
- TP-Link single WAN Router
- 3x Ubiquiti Unifi APs
Proposed Equipment for Purchase
- Ubiquiti USG-Pro4 (to do Dual WAN)
- 2x more Ubiquiti Unifi APs
Total Devs : 10
Total Non Devs : 25
Instead of changing their default gateway, how can I make them use the internet (Browse) via WAN2 without setting up a Proxy Server?
local-area-network internet gateway wide-area-network unifi
local-area-network internet gateway wide-area-network unifi
edited Apr 5 at 5:19
user2967920
asked May 3 '17 at 7:11
user2967920user2967920
165
165
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
So I got this done using a USG-Pro-4.
A custom rule needs to be implemented for this via SSH as the UI for it is not complete at this stage to manage these rules.
The idea is to Send port 22,5432 out via WAN2 and keep Internet traffic on WAN1.
Equipment
- Cisco-SG300-52 - Doing DHCP - 172.16.0.1
- Unifi USG-Pro-4 - Dual WAN Router on - 172.16.0.5/16
- WAN1 : Fiber mux on 192.168.1.2
- WAN2 : - Fiber to LAN media converter on 192.168.2.1
- Unifi AP - 3x Nos, get addresses via DHCP, unifi controller is used to manage groups/SSID etc.
Overview of implementation
- LAN1 : 172.16.0.0/16
- WAN1 : 192.168.1.2/29 Gateway : 192.168.1.1
- WAN2 : 192.168.2.2/29 Gateway : 192.168.2.1
All traffic going from LAN1 out on port 22 and 5432 is sent out via WAN2 using the following rule on the USG-Pro-4, this allows browing to happen via the 20mbps line and all Database related work and SSH to happen via WAN2 (Static IP).
Example Configuration for the USG-Pro-4
configure
set protocols static table 1 route 0.0.0.0/0 next-hop 192.168.2.1
set firewall modify LOAD_BALANCE rule 2950 action modify
set firewall modify LOAD_BALANCE rule 2950 modify table 1
set firewall modify LOAD_BALANCE rule 2950 source address 172.16.0.0/16
set firewall modify LOAD_BALANCE rule 2950 destination port 22
set firewall modify LOAD_BALANCE rule 2950 protocol tcp
commit
save
You can use this Link to access the entire thread for configuration. A big tank you to UBNT-jaffe.
add a comment |
There is no easy way to split the internet in half without also splitting your networks in half. Good news is that this sounds pretty much like what you were expecting to have to do anyway.
If you have VLAN100 set to use ISP A and VLAN200 set to use ISP B, then you can do inter-vlan routing to get full LAN access for both networks, and set your default gateways to the respective ISPs to control the internet access.
Now, if you wanted to do this so that all of your developers and non-developers were on the correct VLANs regardless of whether they were plugged in or on WiFi, there are multiple ways of achieving this.
For your WiFi, you could use WPA2-Enterprise authentication with a RADIUS server that specifies which vlan to put the user on. Essentially instead of having the same shared key to connect to the WiFi, users connect with a username and password. The username they provide indicates which VLAN they will be put onto. Ubiquiti UniFi (good choice, btw) can absolutely do this.
The other option for WiFi would just be to have two SSIDs, one on each VLAN, and you just instruct your staff to connect to one or the other. UniFi can also do this very easily.
For your wired connections, you can use 802.1x port-based network access control. Essentially this is similar to WPA2-enterprise. When a user plugs into the network, the operating system detects that you need to do 802.1x authentication and prompts the user for a network username/password (or it passes one through in the case of Active Directory and Windows). Once authenticated, 802.1x will put the user on the appropriate VLAN. This way users can plug in wherever they want and still end up on the right network.
The other option, if your users are static, is to just manually assign port-based VLANs to their ethernet port and that way anyone who sits down and plugs into a given port will end up on one of the two networks.
With this setup, the devs would connect to AWS/Azure directly via Terminal/Putty without any issues but they would also browse via the same gateway which would be slower.
This is a difficult problem to overcome. If you have a very specific set of IP addresses you are connecting to, then some routing rules could come in handy. But what tends to happen then is if you have a basic SPI firewall they will often drop the return connections because they didn't see them get initiated (asynchronous routing).
But it sounds like the devs are not going to be any worse off than they are now. Right now you're shoving 35 people down the one 4Mbps pipe. Now you're only shoving 10 people down that pipe, so it might still be a win.
Hey Shannon, I managed to solve the issue above. Really appreciate your thoughts.
– user2967920
Jun 22 '17 at 9:18
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f847927%2ftunnel-ssh-and-database-ports-via-wan2-in-a-dual-wan-router%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
So I got this done using a USG-Pro-4.
A custom rule needs to be implemented for this via SSH as the UI for it is not complete at this stage to manage these rules.
The idea is to Send port 22,5432 out via WAN2 and keep Internet traffic on WAN1.
Equipment
- Cisco-SG300-52 - Doing DHCP - 172.16.0.1
- Unifi USG-Pro-4 - Dual WAN Router on - 172.16.0.5/16
- WAN1 : Fiber mux on 192.168.1.2
- WAN2 : - Fiber to LAN media converter on 192.168.2.1
- Unifi AP - 3x Nos, get addresses via DHCP, unifi controller is used to manage groups/SSID etc.
Overview of implementation
- LAN1 : 172.16.0.0/16
- WAN1 : 192.168.1.2/29 Gateway : 192.168.1.1
- WAN2 : 192.168.2.2/29 Gateway : 192.168.2.1
All traffic going from LAN1 out on port 22 and 5432 is sent out via WAN2 using the following rule on the USG-Pro-4, this allows browing to happen via the 20mbps line and all Database related work and SSH to happen via WAN2 (Static IP).
Example Configuration for the USG-Pro-4
configure
set protocols static table 1 route 0.0.0.0/0 next-hop 192.168.2.1
set firewall modify LOAD_BALANCE rule 2950 action modify
set firewall modify LOAD_BALANCE rule 2950 modify table 1
set firewall modify LOAD_BALANCE rule 2950 source address 172.16.0.0/16
set firewall modify LOAD_BALANCE rule 2950 destination port 22
set firewall modify LOAD_BALANCE rule 2950 protocol tcp
commit
save
You can use this Link to access the entire thread for configuration. A big tank you to UBNT-jaffe.
add a comment |
So I got this done using a USG-Pro-4.
A custom rule needs to be implemented for this via SSH as the UI for it is not complete at this stage to manage these rules.
The idea is to Send port 22,5432 out via WAN2 and keep Internet traffic on WAN1.
Equipment
- Cisco-SG300-52 - Doing DHCP - 172.16.0.1
- Unifi USG-Pro-4 - Dual WAN Router on - 172.16.0.5/16
- WAN1 : Fiber mux on 192.168.1.2
- WAN2 : - Fiber to LAN media converter on 192.168.2.1
- Unifi AP - 3x Nos, get addresses via DHCP, unifi controller is used to manage groups/SSID etc.
Overview of implementation
- LAN1 : 172.16.0.0/16
- WAN1 : 192.168.1.2/29 Gateway : 192.168.1.1
- WAN2 : 192.168.2.2/29 Gateway : 192.168.2.1
All traffic going from LAN1 out on port 22 and 5432 is sent out via WAN2 using the following rule on the USG-Pro-4, this allows browing to happen via the 20mbps line and all Database related work and SSH to happen via WAN2 (Static IP).
Example Configuration for the USG-Pro-4
configure
set protocols static table 1 route 0.0.0.0/0 next-hop 192.168.2.1
set firewall modify LOAD_BALANCE rule 2950 action modify
set firewall modify LOAD_BALANCE rule 2950 modify table 1
set firewall modify LOAD_BALANCE rule 2950 source address 172.16.0.0/16
set firewall modify LOAD_BALANCE rule 2950 destination port 22
set firewall modify LOAD_BALANCE rule 2950 protocol tcp
commit
save
You can use this Link to access the entire thread for configuration. A big tank you to UBNT-jaffe.
add a comment |
So I got this done using a USG-Pro-4.
A custom rule needs to be implemented for this via SSH as the UI for it is not complete at this stage to manage these rules.
The idea is to Send port 22,5432 out via WAN2 and keep Internet traffic on WAN1.
Equipment
- Cisco-SG300-52 - Doing DHCP - 172.16.0.1
- Unifi USG-Pro-4 - Dual WAN Router on - 172.16.0.5/16
- WAN1 : Fiber mux on 192.168.1.2
- WAN2 : - Fiber to LAN media converter on 192.168.2.1
- Unifi AP - 3x Nos, get addresses via DHCP, unifi controller is used to manage groups/SSID etc.
Overview of implementation
- LAN1 : 172.16.0.0/16
- WAN1 : 192.168.1.2/29 Gateway : 192.168.1.1
- WAN2 : 192.168.2.2/29 Gateway : 192.168.2.1
All traffic going from LAN1 out on port 22 and 5432 is sent out via WAN2 using the following rule on the USG-Pro-4, this allows browing to happen via the 20mbps line and all Database related work and SSH to happen via WAN2 (Static IP).
Example Configuration for the USG-Pro-4
configure
set protocols static table 1 route 0.0.0.0/0 next-hop 192.168.2.1
set firewall modify LOAD_BALANCE rule 2950 action modify
set firewall modify LOAD_BALANCE rule 2950 modify table 1
set firewall modify LOAD_BALANCE rule 2950 source address 172.16.0.0/16
set firewall modify LOAD_BALANCE rule 2950 destination port 22
set firewall modify LOAD_BALANCE rule 2950 protocol tcp
commit
save
You can use this Link to access the entire thread for configuration. A big tank you to UBNT-jaffe.
So I got this done using a USG-Pro-4.
A custom rule needs to be implemented for this via SSH as the UI for it is not complete at this stage to manage these rules.
The idea is to Send port 22,5432 out via WAN2 and keep Internet traffic on WAN1.
Equipment
- Cisco-SG300-52 - Doing DHCP - 172.16.0.1
- Unifi USG-Pro-4 - Dual WAN Router on - 172.16.0.5/16
- WAN1 : Fiber mux on 192.168.1.2
- WAN2 : - Fiber to LAN media converter on 192.168.2.1
- Unifi AP - 3x Nos, get addresses via DHCP, unifi controller is used to manage groups/SSID etc.
Overview of implementation
- LAN1 : 172.16.0.0/16
- WAN1 : 192.168.1.2/29 Gateway : 192.168.1.1
- WAN2 : 192.168.2.2/29 Gateway : 192.168.2.1
All traffic going from LAN1 out on port 22 and 5432 is sent out via WAN2 using the following rule on the USG-Pro-4, this allows browing to happen via the 20mbps line and all Database related work and SSH to happen via WAN2 (Static IP).
Example Configuration for the USG-Pro-4
configure
set protocols static table 1 route 0.0.0.0/0 next-hop 192.168.2.1
set firewall modify LOAD_BALANCE rule 2950 action modify
set firewall modify LOAD_BALANCE rule 2950 modify table 1
set firewall modify LOAD_BALANCE rule 2950 source address 172.16.0.0/16
set firewall modify LOAD_BALANCE rule 2950 destination port 22
set firewall modify LOAD_BALANCE rule 2950 protocol tcp
commit
save
You can use this Link to access the entire thread for configuration. A big tank you to UBNT-jaffe.
edited Jun 22 '17 at 9:29
answered Jun 22 '17 at 9:14
user2967920user2967920
165
165
add a comment |
add a comment |
There is no easy way to split the internet in half without also splitting your networks in half. Good news is that this sounds pretty much like what you were expecting to have to do anyway.
If you have VLAN100 set to use ISP A and VLAN200 set to use ISP B, then you can do inter-vlan routing to get full LAN access for both networks, and set your default gateways to the respective ISPs to control the internet access.
Now, if you wanted to do this so that all of your developers and non-developers were on the correct VLANs regardless of whether they were plugged in or on WiFi, there are multiple ways of achieving this.
For your WiFi, you could use WPA2-Enterprise authentication with a RADIUS server that specifies which vlan to put the user on. Essentially instead of having the same shared key to connect to the WiFi, users connect with a username and password. The username they provide indicates which VLAN they will be put onto. Ubiquiti UniFi (good choice, btw) can absolutely do this.
The other option for WiFi would just be to have two SSIDs, one on each VLAN, and you just instruct your staff to connect to one or the other. UniFi can also do this very easily.
For your wired connections, you can use 802.1x port-based network access control. Essentially this is similar to WPA2-enterprise. When a user plugs into the network, the operating system detects that you need to do 802.1x authentication and prompts the user for a network username/password (or it passes one through in the case of Active Directory and Windows). Once authenticated, 802.1x will put the user on the appropriate VLAN. This way users can plug in wherever they want and still end up on the right network.
The other option, if your users are static, is to just manually assign port-based VLANs to their ethernet port and that way anyone who sits down and plugs into a given port will end up on one of the two networks.
With this setup, the devs would connect to AWS/Azure directly via Terminal/Putty without any issues but they would also browse via the same gateway which would be slower.
This is a difficult problem to overcome. If you have a very specific set of IP addresses you are connecting to, then some routing rules could come in handy. But what tends to happen then is if you have a basic SPI firewall they will often drop the return connections because they didn't see them get initiated (asynchronous routing).
But it sounds like the devs are not going to be any worse off than they are now. Right now you're shoving 35 people down the one 4Mbps pipe. Now you're only shoving 10 people down that pipe, so it might still be a win.
Hey Shannon, I managed to solve the issue above. Really appreciate your thoughts.
– user2967920
Jun 22 '17 at 9:18
add a comment |
There is no easy way to split the internet in half without also splitting your networks in half. Good news is that this sounds pretty much like what you were expecting to have to do anyway.
If you have VLAN100 set to use ISP A and VLAN200 set to use ISP B, then you can do inter-vlan routing to get full LAN access for both networks, and set your default gateways to the respective ISPs to control the internet access.
Now, if you wanted to do this so that all of your developers and non-developers were on the correct VLANs regardless of whether they were plugged in or on WiFi, there are multiple ways of achieving this.
For your WiFi, you could use WPA2-Enterprise authentication with a RADIUS server that specifies which vlan to put the user on. Essentially instead of having the same shared key to connect to the WiFi, users connect with a username and password. The username they provide indicates which VLAN they will be put onto. Ubiquiti UniFi (good choice, btw) can absolutely do this.
The other option for WiFi would just be to have two SSIDs, one on each VLAN, and you just instruct your staff to connect to one or the other. UniFi can also do this very easily.
For your wired connections, you can use 802.1x port-based network access control. Essentially this is similar to WPA2-enterprise. When a user plugs into the network, the operating system detects that you need to do 802.1x authentication and prompts the user for a network username/password (or it passes one through in the case of Active Directory and Windows). Once authenticated, 802.1x will put the user on the appropriate VLAN. This way users can plug in wherever they want and still end up on the right network.
The other option, if your users are static, is to just manually assign port-based VLANs to their ethernet port and that way anyone who sits down and plugs into a given port will end up on one of the two networks.
With this setup, the devs would connect to AWS/Azure directly via Terminal/Putty without any issues but they would also browse via the same gateway which would be slower.
This is a difficult problem to overcome. If you have a very specific set of IP addresses you are connecting to, then some routing rules could come in handy. But what tends to happen then is if you have a basic SPI firewall they will often drop the return connections because they didn't see them get initiated (asynchronous routing).
But it sounds like the devs are not going to be any worse off than they are now. Right now you're shoving 35 people down the one 4Mbps pipe. Now you're only shoving 10 people down that pipe, so it might still be a win.
Hey Shannon, I managed to solve the issue above. Really appreciate your thoughts.
– user2967920
Jun 22 '17 at 9:18
add a comment |
There is no easy way to split the internet in half without also splitting your networks in half. Good news is that this sounds pretty much like what you were expecting to have to do anyway.
If you have VLAN100 set to use ISP A and VLAN200 set to use ISP B, then you can do inter-vlan routing to get full LAN access for both networks, and set your default gateways to the respective ISPs to control the internet access.
Now, if you wanted to do this so that all of your developers and non-developers were on the correct VLANs regardless of whether they were plugged in or on WiFi, there are multiple ways of achieving this.
For your WiFi, you could use WPA2-Enterprise authentication with a RADIUS server that specifies which vlan to put the user on. Essentially instead of having the same shared key to connect to the WiFi, users connect with a username and password. The username they provide indicates which VLAN they will be put onto. Ubiquiti UniFi (good choice, btw) can absolutely do this.
The other option for WiFi would just be to have two SSIDs, one on each VLAN, and you just instruct your staff to connect to one or the other. UniFi can also do this very easily.
For your wired connections, you can use 802.1x port-based network access control. Essentially this is similar to WPA2-enterprise. When a user plugs into the network, the operating system detects that you need to do 802.1x authentication and prompts the user for a network username/password (or it passes one through in the case of Active Directory and Windows). Once authenticated, 802.1x will put the user on the appropriate VLAN. This way users can plug in wherever they want and still end up on the right network.
The other option, if your users are static, is to just manually assign port-based VLANs to their ethernet port and that way anyone who sits down and plugs into a given port will end up on one of the two networks.
With this setup, the devs would connect to AWS/Azure directly via Terminal/Putty without any issues but they would also browse via the same gateway which would be slower.
This is a difficult problem to overcome. If you have a very specific set of IP addresses you are connecting to, then some routing rules could come in handy. But what tends to happen then is if you have a basic SPI firewall they will often drop the return connections because they didn't see them get initiated (asynchronous routing).
But it sounds like the devs are not going to be any worse off than they are now. Right now you're shoving 35 people down the one 4Mbps pipe. Now you're only shoving 10 people down that pipe, so it might still be a win.
There is no easy way to split the internet in half without also splitting your networks in half. Good news is that this sounds pretty much like what you were expecting to have to do anyway.
If you have VLAN100 set to use ISP A and VLAN200 set to use ISP B, then you can do inter-vlan routing to get full LAN access for both networks, and set your default gateways to the respective ISPs to control the internet access.
Now, if you wanted to do this so that all of your developers and non-developers were on the correct VLANs regardless of whether they were plugged in or on WiFi, there are multiple ways of achieving this.
For your WiFi, you could use WPA2-Enterprise authentication with a RADIUS server that specifies which vlan to put the user on. Essentially instead of having the same shared key to connect to the WiFi, users connect with a username and password. The username they provide indicates which VLAN they will be put onto. Ubiquiti UniFi (good choice, btw) can absolutely do this.
The other option for WiFi would just be to have two SSIDs, one on each VLAN, and you just instruct your staff to connect to one or the other. UniFi can also do this very easily.
For your wired connections, you can use 802.1x port-based network access control. Essentially this is similar to WPA2-enterprise. When a user plugs into the network, the operating system detects that you need to do 802.1x authentication and prompts the user for a network username/password (or it passes one through in the case of Active Directory and Windows). Once authenticated, 802.1x will put the user on the appropriate VLAN. This way users can plug in wherever they want and still end up on the right network.
The other option, if your users are static, is to just manually assign port-based VLANs to their ethernet port and that way anyone who sits down and plugs into a given port will end up on one of the two networks.
With this setup, the devs would connect to AWS/Azure directly via Terminal/Putty without any issues but they would also browse via the same gateway which would be slower.
This is a difficult problem to overcome. If you have a very specific set of IP addresses you are connecting to, then some routing rules could come in handy. But what tends to happen then is if you have a basic SPI firewall they will often drop the return connections because they didn't see them get initiated (asynchronous routing).
But it sounds like the devs are not going to be any worse off than they are now. Right now you're shoving 35 people down the one 4Mbps pipe. Now you're only shoving 10 people down that pipe, so it might still be a win.
answered May 3 '17 at 10:01
Mark Henderson♦Mark Henderson
61.3k29163247
61.3k29163247
Hey Shannon, I managed to solve the issue above. Really appreciate your thoughts.
– user2967920
Jun 22 '17 at 9:18
add a comment |
Hey Shannon, I managed to solve the issue above. Really appreciate your thoughts.
– user2967920
Jun 22 '17 at 9:18
Hey Shannon, I managed to solve the issue above. Really appreciate your thoughts.
– user2967920
Jun 22 '17 at 9:18
Hey Shannon, I managed to solve the issue above. Really appreciate your thoughts.
– user2967920
Jun 22 '17 at 9:18
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f847927%2ftunnel-ssh-and-database-ports-via-wan2-in-a-dual-wan-router%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown