Dual WAN Advice Please

[Chunky]

I'm reconfiguring a network, need a new router and someone suggested a Dual WAN Router solution to all my problems. I need some advice to make sure I'm not going down a dead end. Here's the topology:

• Gigabit network with a very, very slow broadband that will not be upgraded any time soon. On a good day it's 4Mb. On this network sits a wireless router, a server, CCTV Ip cameras, PCs, printers, fax, all the usual stuff.
  .
• Next door, (literally) I have a connection to what is effectively a duplicate layout. It has business broadband (but also very slow). The link allows the servers to backup to each other and CCTV can be shared to give a bigger capture area. We can also share a document library and some similar stuff like music without need to mirror data.
  .
• Each individual network is for completely different businesses and there is no option or desire to combine them as one.
  .
• Both individual networks have fixed IP which allows remote access (CCTV, documents). The connection between the two will soon be upgraded from Cat 5e to fibre but the broadband will remain stuck in the 20th century. Initially the fibre will be with transducers and RJ45 connections but will give some future proofing.
  .
• Each has a different ISP. Both tend to be prone to drop-outs and outages but sometimes not at the same time.
  .
• In the current joined configuration everything works okay(ish) but the server backups take an eternity and the remote access is sometimes way too slow or rolls over.

I plan to switch my ISP, but it will still be a pretty slow service. I want to retain the link to next door, the shared facilities and the remote access. But I also want to get the option to use either of the broadband connections automatically when mine goes AWOL or even better, use them both and get slightly faster speed than watching paint dry.

Someone suggested using a Dual WAN router, with one input plugged into my ISP and the other plugged into the link from next door. If it all works well I can suggest duplicating for the other network.

Will this work? Any drawbacks, or benefits that I haven't thought of? Can anyone advise about configuration, addressing and such like?

Many thanks.

.

 

[theonlyski]

Depending on your service level, you may only have 1 IP address for each ISP link so you would only have one gateway.

Good plan going to fiber, running copper between buildings is almost never a good idea.

What kind of time/money/resources are you willing to commit to this project?

 

[Chunky]

Thanks for the quick reply.

I appreciate the comment about maybe only one gateway, but is this the case if we are both with different ISPs? The business broadband at the next door network is supposedly low contention factor, but I don't want/need to go to that expense for mine. The 2 miles of copper cable go back to the exchange with no boxes and no breaks (apparently). Given that it's the fastest fibre-enabled exchange in the whole town I'm guessing that once we get there there's gateways a-plenty?

As for time and budget ............... time is not much of a problem and expertise with the physical part is no issue either- all the way up to to crimping RJ45 terminals and having access to a top of the range fibre splicer and (relatively) cheap kit. I'm installing 32 core multi mode around key parts of the place while I'm at it. If someone ever does replace copper with fibre all the way back to the exchange we could do something pretty awesome.

For this stage I see the Dual WAN router(s) as the only significant expense and I'm finding them available in the UK for less than £100 (Tp-Link) to maybe £150 for Cisco kit and really well reviewed LinkSys gear at ~ £170. I'd plan to plug the D-WAN into a 32 port unmanaged gigabit switch I have to provide enough connections out. Wireless is dealt with using a Netgear WDN3700 and some Netgear repeaters.

The only resource restriction is for configuration - dealing with the obvious stuff is no problem but I don't need complicated set up and management. I do a network about every 3-5 years so by the time something goes wrong I've forgotten the stuff that was so obvious when it went in.

_______________________________________________________________________________________________________________________________

Edit ...... I can get the LinkSys LRT224 for £115 all in and if that's a good choice, I've had success with their equipment before.

p.s. Each network needs to have it's own addressing scheme and administrator, but with the option of setting up read only or read/write privileges between the two for access to servers, CCTV, etc based on user ID credentials.

p.p.s . Or maybe even the ZyXEL SBG3300-N which is multi-WAN, cable or fibre, will take a 3G/4G dongle and has Wireless N 2 x 2, all for £167.


.

 

[System Error Message]

Some routers even premium consumer ones support dual WAN with failover or for more bandwidth. Your choice of going with a premium consumer one or even a business or configurable one should depend on the reliability, performance and skill you want.

Many consumer routers support dual WAN but they arent reliable in that area or in general.
There are easy to configure dual wan routers from zyxel, peplink (overpriced), cisco for example which would be more suitable for business but i wouldnt look at the cisco rv
Configurable ones for example would be mikrotik and ubiquiti edgerouter. They require a lot of skill to set up and configure but can give you the results you want.

Another good router would be pfsense for dual WAN and firewall but it requires setting up a PC for it. You could get pfsense preinstalled with a system. Its well suited for businesses too.

 

[Chunky]

Okay, I appreciate what you say. For two small business networks it looks like we are going to be in ZyXEL, etc. territory then, which will be easy for set up and management. With only at very best 2 x 4MB to play with, it isn't worth worrying about ultimate reliability of the fall over.

But equipment is really a secondary issue. The primary issue is as per my original question:

Will this (Dual WAN) work? Any drawbacks, or benefits that I haven't thought of? Can anyone advise about configuration, addressing and such like?

.

 

[System Error Message]

To make it work assuming both of you use dual WANs is to plug your internet into WAN1 and the 2nd WAN/port into your neighbour's LAN port. Setup WAN1 as usual and setup WAN2 using DHCP and set WAN2 to be failover. Its really simple.

For your neighbour's setup you will need to do the same thing. Because you're plugging WAN2 into LAN ports you do not need to worry about loops as long as WAN2 interface is not defined to be part of LAN. If it is not switched than it would be even better.

 

[messerchmidt]

build a pfsense box using older and/or inexpensive parts. just ensure that you use intel lan cards (from ebay is fine).

www.pfsense.com

this will make the load balancing,etc all work properly

basically a pc converted to a freebsd based router

 

[Chunky]

To make it work assuming both of you use dual WANs is to plug your internet into WAN1 and the 2nd WAN/port into your neighbour's LAN port. Setup WAN1 as usual and setup WAN2 using DHCP and set WAN2 to be failover. Its really simple.

For your neighbour's setup you will need to do the same thing. Because you're plugging WAN2 into LAN ports you do not need to worry about loops as long as WAN2 interface is not defined to be part of LAN. If it is not switched than it would be even better.

Thanks for that. I'm starting to get the picture now.

What about the addressing? If both D-WANs are going to be DHCP, how will we deal with the address of a server or CCTV camera on the "other" network? i.e even if we go 192.168.0.0 - 255 and 192.168.1. 0-255, how do things work without them having a fight in the middle?

We're not in a position to make everything on each network fixed IP address, although that is already the case for key items like servers, printers, cameras. PC's and laptops though need to be DHCP.

.

 

[System Error Message]

This can be done via static routes. If both networks use different IPs than it is possible. So for example your network can be 192.168.1.0 and the other can be 192.168.2.0.

The way normal routes and gateway work is if you have 1 LAN that connects to internet than the only route would be 0.0.0.0/0 with gateway being your WAN gateway. Failover works by having 2 same routes but with different weights. However to prevent confusion you may need to define a static route such as 192.168.2.0 gateway 192.168.1.1 (router) for all devices within your LAN.

Using a static route would reduce processing on router but it is still L3 and limited to the speed of your router. Usually for MIPS based devices routing is 4 times faster than NAT. 600Mhz MIPS 24K will do 1Gb/s L2 or L3 switching and 200-300Mb/s of NAT in software.

 

[Samir]

I can't tell what the exact network diagram is from your description, but I would approach this a completely different way.

If your objective is to have dual wans that either location can use as the gateway and have some limited connectivity between the two networks, then the first problem is getting both wans at one location.

I'd run a line or use a technology like netsys-direct ethernet extenders to get the Internet connection from one location to the other. Then you can connect both wans to a single router.

Next, your router will need to be able to do vlans and can assign one vlan to one network and another vlan to the other, keeping the two networks separate. You can punch holes in vlan isolation in the Cisco rv-series routers, so you could do that for the devices you need. But you'll also need connectivity from the other location as this will become their router too.

Pros of this configuration:
- only one router needed
- only two cable runs needed

Cons:
- single point of failure (router) that can take down both networks.
- cable runs between locations could also be points of failure

The other way to do this will be similar to what has been suggested previously, using two routers.

You will still need to run two connections between both locations, but they would be wired differently. One wan will go to each router, but then the other WAN connection will connect to the LAN of the other. You can limit any network connectivity between the two using static routes.

Pros of this configuration:
- one business's router failure does not affect the other.

Cons:
- cost of two routers
- cable runs between locations could still be points of failure

There's also ways to solve certain parts of the problem using vpn, but I need a network map and requirements before figuring it all out.

 

[System Error Message]

I can't tell what the exact network diagram is from your description, but I would approach this a completely different way.

If your objective is to have dual wans that either location can use as the gateway and have some limited connectivity between the two networks, then the first problem is getting both wans at one location.

I'd run a line or use a technology like netsys-direct ethernet extenders to get the Internet connection from one location to the other. Then you can connect both wans to a single router.

Next, your router will need to be able to do vlans and can assign one vlan to one network and another vlan to the other, keeping the two networks separate. You can punch holes in vlan isolation in the Cisco rv-series routers, so you could do that for the devices you need. But you'll also need connectivity from the other location as this will become their router too.

Pros of this configuration:
- only one router needed
- only two cable runs needed

Cons:
- single point of failure (router) that can take down both networks.
- cable runs between locations could also be points of failure

The other way to do this will be similar to what has been suggested previously, using two routers.

You will still need to run two connections between both locations, but they would be wired differently. One wan will go to each router, but then the other WAN connection will connect to the LAN of the other. You can limit any network connectivity between the two using static routes.

Pros of this configuration:
- one business's router failure does not affect the other.

Cons:
- cost of two routers
- cable runs between locations could still be points of failure

There's also ways to solve certain parts of the problem using vpn, but I need a network map and requirements before figuring it all out.

He cant use a single router because both he and his neighbour arent related, it would be difficult to agree on things and at the same time they both dont want each's network to be completely access-able unrestrictively.

I dont think you would need to configure static routes but when using NAT the performance is lower and you dont see which IP is accessing what. Configuring static routes is more complicated because devices on both networks would need to be configured for that but it is faster than using NAT for that. By default things will work as i said in previous posts and when using NAT just typing in the LAN IP of your neighbour's device should work but it may require port forwarding if it doesnt work. With dual WAN it is very important that you set a static NAT route on the routers so that it knows to use the back up link for your neighbour's network.

 

[Samir]

He cant use a single router because both he and his neighbour arent related, it would be difficult to agree on things and at the same time they both dont want each's network to be completely access-able unrestrictively.

I dont think you would need to configure static routes but when using NAT the performance is lower and you dont see which IP is accessing what. Configuring static routes is more complicated because devices on both networks would need to be configured for that but it is faster than using NAT for that. By default things will work as i said in previous posts and when using NAT just typing in the LAN IP of your neighbour's device should work but it may require port forwarding if it doesnt work. With dual WAN it is very important that you set a static NAT route on the routers so that it knows to use the back up link for your neighbour's network.

I think if he's got access to the neighbor's Internet and they're sharing things already, then that's not an issue.

NAT doesn't decrease performance. A static route won't work like that for a backup, not unless it's on the client itself. Most dual wan routers won't route to an external or internal IP as opposed to one of their wan ports.

 

[System Error Message]

I think if he's got access to the neighbor's Internet and they're sharing things already, then that's not an issue.

NAT doesn't decrease performance. A static route won't work like that for a backup, not unless it's on the client itself. Most dual wan routers won't route to an external or internal IP as opposed to one of their wan ports.

His neighbour's LAN is considered an external IP compared to his own LAN if they use different networks. Ive used static routes and if you use NAT for them the clients dont need to have it configured. For me it is very easy to configure multiple NATs on a configurable router. Im not sure if zyxel can do it though but from what ive seen on a normal zyxel router i think it might be possible.

His neighbour and him agreed to share resources but that doesnt mean either one would be comfortable with one having the router while the other not having much control. Thats why he specifically asked for this setup.

And yes NAT decreases performance. Software based routers route faster than they do NAT although many devices now have hardware NAT, they tend to be more limiting in what they can do.

 

[Samir]

His neighbour's LAN is considered an external IP compared to his own LAN if they use different networks. Ive used static routes and if you use NAT for them the clients dont need to have it configured. For me it is very easy to configure multiple NATs on a configurable router. Im not sure if zyxel can do it though but from what ive seen on a normal zyxel router i think it might be possible.

His neighbour and him agreed to share resources but that doesnt mean either one would be comfortable with one having the router while the other not having much control. Thats why he specifically asked for this setup.

And yes NAT decreases performance. Software based routers route faster than they do NAT although many devices now have hardware NAT, they tend to be more limiting in what they can do.

What you're talking about is programming the balancing and failover manually in a configurable router. I applaud you for being able to do this, but I don't think anyone that's looking to buy a production router will have anywhere near the network engineering knowledge to pull this off.

I don't know about all the details on how the software part of NAT affects wire speed, but I know that an ftp server behind a NAT can run at full wire speed, and that's with NAT overhead on a consumer router. I don't think NAT is as big a resource eater as you're making it out to be.

 

[Chunky]

Sorry Samir, but SEM is bang on the money as per my first post.

There are two independent businesses with absolutely no desire to share a single router, but we are happy to allow our DS411+s to back up to the other guy's (with appropriate security). If one office burns down, the maximum lost data is a couple of hours work.

Ditto for IP security cameras - I can see his by using his external fixed IP, but it would be so much slicker if my cameras & CCTV server could just talk across the the network and vice vera.

Connections are not a problem - as previously stated the Cat5e that is already there between me and the neighbouring business will soon be Cat 6 and there is a 32 core multi-mode fibre going in between us.

The bottom line is that we have really slooowww, flaky broadband that isn't going to be upgraded to superfast this side of the Atlantic freezing over. Having an auto fall back to each other's connection would be a major boost.

p.s. I've been running PingAssist for the last week, with several targets including 8.8.8.8 (Google). Sometimes it is 35ms. Not bad. Sometimes it is 145ms. Sometimes it times out, as do all the other external addresses because local broadband has collapsed for a few minutes.

Dual WAN looked to be the way to go, but I'm receptive to any idea that doesn't involve putting all our eggs in one basket. I'm not interested in building a pfsense router out of old bits from the throwaway cupboard; something modest UK priced and off the shelf will do nicely.

.

 

[jesica]

I have to provide enough connections out

 

[Samir]

Sorry Samir, but SEM is bang on the money as per my first post.

There are two independent businesses with absolutely no desire to share a single router, but we are happy to allow our DS411+s to back up to the other guy's (with appropriate security). If one office burns down, the maximum lost data is a couple of hours work.

Ditto for IP security cameras - I can see his by using his external fixed IP, but it would be so much slicker if my cameras & CCTV server could just talk across the the network and vice vera.

Connections are not a problem - as previously stated the Cat5e that is already there between me and the neighbouring business will soon be Cat 6 and there is a 32 core multi-mode fibre going in between us.

The bottom line is that we have really slooowww, flaky broadband that isn't going to be upgraded to superfast this side of the Atlantic freezing over. Having an auto fall back to each other's connection would be a major boost.

p.s. I've been running PingAssist for the last week, with several targets including 8.8.8.8 (Google). Sometimes it is 35ms. Not bad. Sometimes it is 145ms. Sometimes it times out, as do all the other external addresses because local broadband has collapsed for a few minutes.

Dual WAN looked to be the way to go, but I'm receptive to any idea that doesn't involve putting all our eggs in one basket. I'm not interested in building a pfsense router out of old bits from the throwaway cupboard; something modest UK priced and off the shelf will do nicely.

.

Okay, then it gets very simple--two dual wan routers, two IP addresses from each wan, switches at each wan and then run a connection from each wan to both routers. Done.

 

[theonlyski]

If you can find a couple cheap Cisco ISR platforms (1800s series would work great and can be found somewhat inexpensively CLICKY ), you can use HSRP (hot router standby protocol) and accomplish outbound connectivity fairly easily. I will try to draw up a diagram for it. I would highly suggest finding a Cisco CCNP for this (or someone with equivalent knowledge and skill) as it can be a little much for a user that is used to GUIs. I think that the Cisco Configuration Professional program would have the ability to set this up, but I have never done an HSRP install with it.

There could be some issues with VLAN tagging that would have to be addressed if your router only has two ports, so it would be better IMO to go with one that has an integrated switch on the back. (such as this one Clicky)

Once you have the hardware, the HSRP configuration is pretty simple on both devices. Then you can use IP SLA tracking that would give you the ability to say what to monitor, how often to check it and what limit you want it to hit before it fails over.

For any neighsayers out there, HSRP is used in very large enterprises where first hop redundancy is critical. There are others like GLBP and VRRP but I believe in this case HSRP would be the better option.

Unfortunately, the 1800 series routers are 100mb connected and to get Gigabit connectivity, you'll need to add a little more hardware to them, but if you shop around you may be able to find something out there that would suit your needs. As long as it's a Cisco ISR, it should support HSRP. The routers don't have to be a 1 for 1 match either, a 3900 and a 1900 would work just fine in HSRP mode. The big thing is the number of interfaces and speed.

Before you commit to buying anything, tell us what you're planning on buying (direct links) and draw up a current network diagram so we can see what you're looking at and make sure the ISR will do the job for you.

 

[Samir]

I will try to draw up a diagram for it.

This is essentially the same configuration that I posted in my previous post--two routers (in this case Cisco HSRR ones), two connections from each wan--one going to each router. Each router multi-wan. You can actually use a Cisco rv series or any other smb router for this application without a problem. I believe even a Ubiquiti EdgeRouter Lite will do the trick too.

 

[theonlyski]

This is essentially the same configuration that I posted in my previous post--two routers (in this case Cisco HSRR ones), two connections from each wan--one going to each router.

Not the same solution at all. The one I posted only requires one ISP connection per building, but allows for failover via IP SLA tracking and HSRP prioritizing. The solution you seem to have provided would probably work for outbound connections, but would be likely result in suboptimal failovers/performance. I could even see how it could result in asymmetric routing if configuration to prevent it isn't done.