Two routers on one network

[Drake2007]

I've had a request for this let me explain why first.

Company's branch network is on the arse-end a huge national Windows Domain, active directory with windows shares etc. The internet for the branch in question is mind numbingly slow, so they want another ADSL line/router connection seperate from the Domain. I can't touch a thing with regards to the Domain connection. Their Laptops/Desktops are all assigned static IP's on their ethernet connections.

So I don't really know where to begin and in two minds about the solution.

1) can I put another router on their network?

2) If I go wireless for their laptops and assign that way, how would I get around the obvious conflict between the domain side and the new adsl sides routers? ( If that makes any sense)
2a) Would the users have to disconnect their ethernet connections to go through the new adsl line?

3) I would think a better solution would be to speed up their domain's connection ( AFAIK they have the fastest physical connection already), would it be better to have a domain slave server to cache domain traffic?
3a) What would I need to do to prove that would actually solve the problem, I'd imagine it would be initially quite expensive to do that.

 

[Nerfherder]

Why not get a load balancing router and use one connection for Domain and the other for internet ?

 

[Drake2007]

Why not get a load balancing router and use one connection for Domain and the other for internet ?

Thanks I'll look into that.

I also forgot to mention they have a PABX in the mix, dunno if that makes any difference.

 

[bekdik]

You can have 2 routers. Bare in mind that on a corporate network you will also need a robust firewall.

Easiest setup probably is to install a proxy server and and change the ie connection settings to use that proxy.

 

[davemc]

Leave the existing network alone and add a single cheap computer onto the ass-end network, call it the proxy computer.

Onto the proxy computer, install 2 network cards, one for the network, and one for the connection to the ADSL router. Then install IPCOP ( www.ipcop.org ) on this machine (proxy) to handle the network requests, firewalling, load balancing and other stuff for the internet connection.

Then, have the central domain controller configure the domain settings so that the ass-end computers all get the details of the proxy computer to use as the browsing proxy. (Use the domain controller to setup internet explorer's proxy settings). If they use Firefox, you'll have to configure Firefox manually.

 

[Obelix]

i presume the second line is for the internet ?
ok- i cant give you the solution as some info is lacking, but here is the gist of it....

If they are to remain on static addresses youre gonna have lotsof work as youre gonna need to customize the routing table on each pc. If DHCP then the dhcp server can advertise the routes needed to your pc's for you.

either way you need to do the following

with 2 gateways on your network you need to tell the pc which gateway contains which networks ( ip ranges )

now the internet contains gazillions of networks, so its simpler to just make it the default route. Then all traffic will head for the internet modem. Now you have 2 options. You can either add more routes on each pc and to tell it that network 10.0.0.1 is on your domain gateway, or you can add a route on the internet modem that the 10.0.0.1 network in on the domain gateway.

Option 1 means lots of work for each statically addressed pc, option 2 means lots of routing work for the internet modem

Basically for each network at the headoffice you need to add a route into the routeting table to use a diff gateway.....

BTW, now that i think of it, check the following. If the ip range of the remote ffice the same as the headoffice. If that is the case then you probably have the reason for your overloaded line as there will be a ton of uneccesary traffic on that line. You want your remote traffic on a different ROUTED ( not bridged ) network so that only the traffic destined for that network ends up there. a BDC and Wins Relay might also be a good option

 

[midkemia]

ye, i agree with the proxy idea, as its alot more secure... although you would probably end up needing to go and set all the proxy settings manually thou, in the end it would mean that internet browsing would be much faster, and wouldnt interfere with mail/network/domain at all

 

[Drake2007]

You can have 2 routers. Bare in mind that on a corporate network you will also need a robust firewall.

Easiest setup probably is to install a proxy server and and change the ie connection settings to use that proxy.

The Domain admins are very strict about installing software of any kind on the desktops/laptops, also the users don't surf much, I think ( can't prove ) most of the traffic is Active Directory crud. Just to get the the size of this network into perspective, the franchise is Avis.

I did find this Billion router

 

[midkemia]

You gonna need a local server in a stub zone

 

[Drake2007]

i presume the second line is for the internet ?
ok- i cant give you the solution as some info is lacking, but here is the gist of it....

If they are to remain on static addresses youre gonna have lotsof work as youre gonna need to customize the routing table on each pc. If DHCP then the dhcp server can advertise the routes needed to your pc's for you.

either way you need to do the following

with 2 gateways on your network you need to tell the pc which gateway contains which networks ( ip ranges )

now the internet contains gazillions of networks, so its simpler to just make it the default route. Then all traffic will head for the internet modem. Now you have 2 options. You can either add more routes on each pc and to tell it that network 10.0.0.1 is on your domain gateway, or you can add a route on the internet modem that the 10.0.0.1 network in on the domain gateway.

Option 1 means lots of work for each statically addressed pc, option 2 means lots of routing work for the internet modem

Basically for each network at the headoffice you need to add a route into the routeting table to use a diff gateway.....

BTW, now that i think of it, check the following. If the ip range of the remote ffice the same as the headoffice. If that is the case then you probably have the reason for your overloaded line as there will be a ton of uneccesary traffic on that line. You want your remote traffic on a different ROUTED ( not bridged ) network so that only the traffic destined for that network ends up there. a BDC and Wins Relay might also be a good option

I was thinking a BDC and yes every single IP is static right down to the ethernet printer.

I can't confirm the ip ranges atm but would I be correct in assuming branches are on the same network as headoffice because the branch doesn't use the normal 10.x.x.x or 192.168.x.x IP's? If that is the case then headoffice are screwing it up or their hands are also tied.

 

[Drake2007]

Thanks for the ideas,
I've given the branch 3 options to let them figure out the way forward with their headoffice and see what they come up with.

 

[Conradl]

Rather late than never, but my 2c worth,

1) can I put another router on their network?

Yes, but please don't. Its like having a castle and then a peasant makes a hole in the wall to "let in fresh air". Securing the edge is a huge problem, I know specifically that Avis has problems at their branches (or had some time back), and ADSL is not a good idea. It makes the entire company vulnerable.

2) If I go wireless for their laptops and assign that way, how would I get around the obvious conflict between the domain side and the new adsl sides routers? ( If that makes any sense)
2a) Would the users have to disconnect their ethernet connections to go through the new adsl line?

Wireless or wired would not make a difference, although the routing would be an issue. If policies are set to prevent connections to other networks, then you will not be able to change it. You could use a local proxy and break out to the internet using that, and use local sites across the WAN.

3) I would think a better solution would be to speed up their domain's connection ( AFAIK they have the fastest physical connection already), would it be better to have a domain slave server to cache domain traffic?
3a) What would I need to do to prove that would actually solve the problem, I'd imagine it would be initially quite expensive to do that.

How many users in the branch? I do not think that an additional DC will do anything to reduce congestion on the line; AD traffic is really minimal. What line do they have? Increasing a leased line speed need not cost too much.

There are a few things that you need to do to check the line speed.

1. Run software on the local pcs that monitor traffic and consolidate all info to a central location.
2. Configure the local router to use netflow and send the traffic to a netflow server. Of course HO may already have this info.
3. Put an invisible sniffer between your LAN and the router to tunnel traffic and build a history of traffic.
4. Port mirroring on the switch and Wireshark to check the traffic volume.

Of course, just about every suggestion relies on having access to certain systems, e.g. the local pc, switch, routers etc. Depending on how well secured the environment is, you may not have access to what you require. My advice is to talk to HQ and work with them.

 

[Drake2007]

Rather late than never, but my 2c worth,
Yes, but please don't. Its like having a castle and then a peasant makes a hole in the wall to "let in fresh air". Securing the edge is a huge problem, I know specifically that Avis has problems at their branches (or had some time back), and ADSL is not a good idea. It makes the entire company vulnerable.

Yes, I've written that off as a bad idea wrt security not to mention it being to complex to set up without access to the domain systems.

Wireless or wired would not make a difference, although the routing would be an issue. If policies are set to prevent connections to other networks, then you will not be able to change it. You could use a local proxy and break out to the internet using that, and use local sites across the WAN.

I'm not to sure on their policies, I do know they can't change or add anything to the network without HQ say so.

How many users in the branch? I do not think that an additional DC will do anything to reduce congestion on the line; AD traffic is really minimal. What line do they have? Increasing a leased line speed need not cost too much.

There's about 10 PC's at the branch. Also I did assume it's AD traffic, they could be running NT4.0 for all I know.
A user was browsing the network looking for another PC on their LAN, not that I counted but there must've been 1000's of PC's listed in there. I would have to check what line they have currently, from what I gather they can't get any faster.
It's a pain really, I have no real info to go on either.

There are a few things that you need to do to check the line speed.

1. Run software on the local pcs that monitor traffic and consolidate all info to a central location.
2. Configure the local router to use netflow and send the traffic to a netflow server. Of course HO may already have this info.
3. Put an invisible sniffer between your LAN and the router to tunnel traffic and build a history of traffic.
4. Port mirroring on the switch and Wireshark to check the traffic volume.

Of course, just about every suggestion relies on having access to certain systems, e.g. the local pc, switch, routers etc. Depending on how well secured the environment is, you may not have access to what you require. My advice is to talk to HQ and work with them.

All I have access to is a local PC, so my hands are tied really, I've sent some options/suggestions for the branch to confirm with HQ. They pretty much can't sneeze without their permission. So it's wait and see what they say.