How to VLAN connect two Routers
Here is our area...
2 buildings, 2 firewalla gold routers and two ISP... both buildings are wired together
How to connect the two buildings together so PCs in each side can communicate to the other side yet only use its own router for ISP traffic.
PCs in one building to use Printer in the other building ... and Library Kiosk in building one to use Library Database in building two.
How do we set up the VLAN to make this traffic?
How are the two buildings wired together? Is there a connection between the two FWGs?
If there is a connection and the FWGs can communicate, I think all you need to do is add routes on each of the FWGs for the subnets in the other building, routing to the other FWG. You will also need to create rules for the various subnets to allow the traffic you want to allow.
I think you'll have to share more details of how everything is wired, what VLANs you have already, etc., before we'll be able to provide much help.
The two sites are linked together with the Ubiquiti antennas and each antenna is plugged into a local switch like it shows in the diagram. The traffic flow is pretty good... is goes around 100 mbps all day in all weather.
The DHCP on each side is the Firewall gold router on each side.... that was the main issue... one router would give an address to a device in the other building.
It sounds like you have two competing requirements here:
- Isolate the two networks, so you can create rules to allow the traffic you want between them and block the rest.
- Have printer and network share discovery work across the two buildings.
These are competing because you must separate the networks of the two builds for the first requirement, but printer and network discovery likely rely on multicast broadcasts, and those will not span networks.
When the antennas are connected, you've joined the two networks into one big network, with two routers and two DHCP servers. This is not going to work the way you want.
With the antennas disconnected, each building is its own network. The Site-to-Site VPN allows connectivity between the two networks, but as I described above, it's not likely that network share and printer discovery will work this way.
Ok, We can live with not getting Printers... the only thing we need to have is the Library System and it's Kiosks to be able to communicate with eachother.
The kiosks run the by starting the app from the Library System shared folder and talking back to the Library System's database
You can probably get the shared folders to work even if you put the two buildings on different networks, although I don't think the discovery in Windows will work. However, if specify the share explicitly, it will likely work as long as the correct ports are allowed in the firewall rules.
Printers may be the same. You may be able to manually connect them to devices by specifying their IP address or DNS directly, although automatic discovery may not work.
If you want to keep using the Site-to-Site VPN, then you have successfully separated the two networks. All that remains is to add the rules you need to control traffic between them, if any.
If you wish to go back to the antennas linking the buildings, you'll need to implement VLANs to separate the two buildings into different networks, or connect the antennas directly to the FWGs. The goal is to have a separate network in the Firewalla for each building. The networks can be defined using VLANs or ports on the FWG, so if you can plug the antennas directly into the FWGs, you can create a separate network for the antenna port on each FWG to define the "other building's network". Then, you can create rules to control the traffic.
Please sign in to leave a comment.