How to VLAN connect two Routers

Comments

10 comments

  • Avatar
    Maintenance

    What what ports are forwarded for internal file shares on the PCs

    0
    Comment actions Permalink
  • Avatar
    David Rothenberger

    How are the two buildings wired together? Is there a connection between the two FWGs?

    If there is a connection and the FWGs can communicate, I think all you need to do is add routes on each of the FWGs for the subnets in the other building, routing to the other FWG. You will also need to create rules for the various subnets to allow the traffic you want to allow.

    I think you'll have to share more details of how everything is wired, what VLANs you have already, etc., before we'll be able to provide much help.

    0
    Comment actions Permalink
  • Avatar
    Maintenance

    Trying to attache a PDF of our diagram... it only allows  "pics"

    0
    Comment actions Permalink
  • Avatar
    Maintenance

    here is a screen shot of the pdf diagram

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Are the two sites linked together with a switch? or a router? if it is a switch, is there a master DHCP server somewhere? how does the traffic flow now?

    The reason I am asking is, VLAN's are layer 2, and it usually doesn't go across routers, which are layer 3 devices. 

    0
    Comment actions Permalink
  • Avatar
    Maintenance

    The two sites are linked together with the Ubiquiti antennas and each antenna is plugged into a local switch like it shows in the diagram.  The traffic flow is pretty good... is goes around 100 mbps all day in all weather.

     

    The DHCP on each side is the Firewall gold router on each side.... that was the main issue... one router would give an address to a device in the other building.

    0
    Comment actions Permalink
  • Avatar
    Maintenance

    I've tried to stop using the antennas and connect the two networks together using a vpn... they connect using openvpn yet each side can "ping" all on the other side but PCs can't see printers or network shares on the other side.

    Something is missing or incorrect.

     

     

    0
    Comment actions Permalink
  • Avatar
    David Rothenberger

    It sounds like you have two competing requirements here:

    1. Isolate the two networks, so you can create rules to allow the traffic you want between them and block the rest.
    2. Have printer and network share discovery work across the two buildings.

    These are competing because you must separate the networks of the two builds for the first requirement, but printer and network discovery likely rely on multicast broadcasts, and those will not span networks.

    When the antennas are connected, you've joined the two networks into one big network, with two routers and two DHCP servers. This is not going to work the way you want.

    With the antennas disconnected, each building is its own network. The Site-to-Site VPN allows connectivity between the two networks, but as I described above, it's not likely that network share and printer discovery will work this way.

    0
    Comment actions Permalink
  • Avatar
    Maintenance

    Ok, We can live with not getting Printers... the only thing we need to have is the Library System and it's Kiosks to be able to communicate with eachother.

    The kiosks run the by starting the app from the Library System shared folder and talking back to the Library System's database

    0
    Comment actions Permalink
  • Avatar
    David Rothenberger

    You can probably get the shared folders to work even if you put the two buildings on different networks, although I don't think the discovery in Windows will work. However, if specify the share explicitly, it will likely work as long as the correct ports are allowed in the firewall rules.

    Printers may be the same. You may be able to manually connect them to devices by specifying their IP address or DNS directly, although automatic discovery may not work.

    If you want to keep using the Site-to-Site VPN, then you have successfully separated the two networks. All that remains is to add the rules you need to control traffic between them, if any.

    If you wish to go back to the antennas linking the buildings, you'll need to implement VLANs to separate the two buildings into different networks, or connect the antennas directly to the FWGs. The goal is to have a separate network in the Firewalla for each building. The networks can be defined using VLANs or ports on the FWG, so if you can plug the antennas directly into the FWGs, you can create a separate network for the antenna port on each FWG to define the "other building's network". Then, you can create rules to control the traffic.

    0
    Comment actions Permalink

Please sign in to leave a comment.