Networking & Wireless

Question

Two Internet Modems, one network - need dedicated IP ranges

by NetRouser / March 30, 2012 5:57 PM PDT

Here's the setup:
- 2 Internet lines from different ISPs
- 1 physical firewall where the Net lines converge
- 25 users running PCs (mostly Windows 7, no Mac, no Linux)

Here's what I need to do:
- Dedicate 50 exclusive IP addresses to each modem
- Require users to manually switch their IP addresses in order to switch to the other ISP

Why I need this:
- We don't have a dedicated IT person
- I need to know who is accessing the net through which ISP at any given time (monitoring is required in case of priority uploads that demand greater bandwidth. This way I can tell non-essential users to switch over to any one ISP leaving the other line for the upload)
- A fallback system does not let me know if a network is down since the firewall automatically switches and the user remains unaffected.

Answer This Ask For Clarification
Discussion is locked
You are posting a reply to: Two Internet Modems, one network - need dedicated IP ranges
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Two Internet Modems, one network - need dedicated IP ranges
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

All Answers

Collapse -
Answer
manual operation
by bill012 / March 30, 2012 9:21 PM PDT

At least your plan has a chance most people come here and want to automatically switch between 2 ISP and then are surprised to learn how expensive and complex that is.

Not sure why you would need 50 ip. In general it is preferred to nat the ip unless you actually need a INCOMING session from the internet. This tends to only be needed for servers. The nat alone provides most the protection a firewall does. Still it will work fine as long as you can afford the IPs.

Exactly how you implement this will depend on the capability of the firewall. The simple option is to run the firewall in "transparent" mode or layer 2. Depends on the firewall what they call this feature. In this case the firewall is invisible on the network and pretty much works as a cable splice than can block selected traffic. The other way to do this will require the firewall to be able to have 2 ip addresses on a single interface or to cable 2 interface on the firewall to the same switch that runs your PC network. Again exactly how you do this will depend on the firewall.

You key to monitoring which PC is on which network is to keep track of the mac addresses of the machines. The firewall will have a list of open sessions which should show you which IP are in use and what mac addresses are associated with each ip.

Not sure what you want in a fall back system. This starts to get into the complexity of a automated failover. The simplest way to do this would be to get a junk laptop load 2 tiny virtual machines running linux and assign a ip from each network to each virtual machine. You could then leave a constant ping running in each to some internet address. You could then look at the screen and see if you are getting loss. Now of course you could load even more software to detect the loss and send email and such but that is only a tiny part of why automated internet failover gets so complex

Collapse -
Thanks Bill - hope you won't mind me pestering you some more
by NetRouser / March 30, 2012 10:24 PM PDT
In reply to: manual operation

I'm going to head in on Monday and get all the dope on the hardware we're using as well as possibly pull up screen shots of the configuration screens on the firewall and routers but for the time being I just wanted to clarify that the static IPs are not being provided by the ISP (maybe I've actually got the terminology all wrong). What I'm trying, rather unsuccessfully, to refer to is the kind of network where there is one static IP serving up the net connection but rather than enable DHCP across the private office network I want for each PC to have an IP address defined in the network settings. Now based on the IP address defined on each PC they are either allowed access or denied it on the 2 internet networks.

Here's how I explained it to our external IT solution provider:

There are to be two arrays of IPs. Array 'A' will be allotted to the Hathway router and Array 'B' to the Airtel router. (Hathway and Airtel are the two ISPs)

To illustrate: Array A = 192.168.1.100 - 192.168.1.150 [Hathway]
Array B = 192.168.1.151 - 192.168.1.200 [Airtel]

The 2 arrays must be dedicated such that the user with an IP like 192.168.1.154 cannot access Hathway and a user with IP 192.168.1.122 cannot access Airtel. To access a different network should require a manual switch of the user IP only. Essentially, DHCP is to be disabled on the modems and manual IPs must be allotted to each user.

How this helps us manage our networks is:

1. If I run an IP scan, based on the IP range I get to know which user is on what broadband network
2. This helps control data throughput when there are crucial uploads going on that are time-bound
3. We also get to know when one of our networks is down which does not happen with a fallback system since the user is unaware of any break in the connection.

Also, Bill, to answer your question about why I need 50 IPs dedicated on each modem/network, this is essentially to allow additional users (via wifi or wired LAN) to also jump onto the network without any shortfall in available IPs.

Collapse -
ip ranges
by bill012 / March 31, 2012 3:49 AM PDT

I see you meant the inside ip blocks not real routable IP.

That is somewhat easier. I would in this case run the firewall in layer 3 mode.

You would say use 192.168.1.1 as the firewall address on the lan side. You would connect your 2 ISP to the firewall and lets just say you used 192.168.2.1 for ISP 1 and 192.168.3.1 for ISP2. and your firewall has addresses 192.168.2.2 and 192.168.3.2 for these connections.

You then have 2 choices. The ISP modem/routers can route 192.168.1.0/24 to 192.168.x.2 (x depends on isp) or your firewall can nat the ip's to 192.168.2.2 and 192.168.3.2 depending on the connection. The modem/router will then nat the ip to the real address. The double nat can be a issue sometimes but if the modem/router cannot actually route another subnet then you have little choice.

The key part to making this work is your firewall having the ability to route based on source address rather than destination which is standard. So you need to say send traffic coming from 192.168.1.100-192.168.1.150 to 192.168.2.1 and send traffic coming from from 192.168.1.151-192.168.1.200 to 192.168.3.1. This is called source based routing or policy routing depending on the device.

Pretty much this is load balancing your users based on the honor system since they can change their IP at will. It also in no way prevents the machines for example 192.168.1.105 talking to 192.168.1.155. You technically would not have to change the IP on the user PC you could just change the rules in the firewall on which ISP you send a particular source IP to.

You can also do this running the firewall in layer2 mode but is more complex for the users. You would in this case put one ISP router/modem on 192.168.1.1 and the other one on 192.168.1.2. The users would not change their IP they would only change the gateway. I guess you could ask them to change the IP also since it will make it easier to monitor. The firewall configurations is much easier since it puts the burden on the users to select the ISP. Again this only works in a trusted environment.

Collapse -
Thanks mate
by NetRouser / March 31, 2012 6:24 AM PDT
In reply to: ip ranges

Fantastic stuff Bill. Thanks a bundle. I'll put it to the test this coming week. You're absolutely right. This is the good old fashioned honour system. A quick IP scan will reveal the dishonourable ones when the need arises Happy We currently run the firewall in layer2 mode and I was considering installing a software switch on all the user PCs to make changing the network a single click affair so the gateway and the IP get modified through a preset. I have such a switch running on my workstation already. The idea is not so much that of policing them but just knowing which systems need to be taken off a specific line when the bandwidth is required. Your advice is immensely helpful and very reassuring since my external IT provider has been giving me quite the run-around over something that just seemed logical and very doable to me. I'll get back and post the results once I've had a chance to roll up my sleeves and get a little network grime on my hands in the coming week. Cheers!

Popular Forums
icon
Computer Help 47,885 discussions
icon
Computer Newbies 10,322 discussions
icon
iPhones, iPods, & iPads 3,188 discussions
icon
Security 30,333 discussions
icon
TVs & Home Theaters 20,177 discussions
icon
HDTV Picture Setting 1,932 discussions
icon
Phones 15,713 discussions
icon
Windows 7 6,210 discussions
icon
Networking & Wireless 14,510 discussions

Tech Tip

Know how to save a wet phone?

It's not with a dryer and it's not with rice. CNET shows you the secret to saving your phone.