Connecting two home networks with two Billion gateway routers

[Fibre793]

Hi everybody,

I've run into a problem that I hope somebody can help me with. I'm trying to connect two private networks in the following example setup:-

Network A - 192.168.0.0/24
Network B - 192.168.1.0/24

The following criteria apply:-

* Any device on either network should be able to communicate with any other on Network A and B
* Each network has it's own Internet connection and this should be retained. For example, Network A should only use Gateway A, and Network B should only use Gateway B for external communications
* The networks must be able to operate independently at all times, the link between them may not be full-time
* Network A devices should only get DHCP addresses from Gateway A, and Network B devices should only get DHCP addresses from Gateway B.

Network A has a Billion 7800DXL router while Network B uses the 7800N. I've been looking into this and found a very good example shown below:-

https://superuser.com/questions/357...ome-networks-together-using-an-ethernet-cable

The page specifies that an extra router is needed between the two networks to make it work apart from under specific conditions, i.e business level router, Linux gateway etc. I'm not sure if the routers I have contain the feature set I require to avoid using the extra router. In all honesty, the advanced settings are a little beyond my understanding.

One quote given in the page is shown below:-

"You don't need a middle gateway, just put DD-WRT or similar on one of the gateways. Any replacement firmware that allows you to configure vlans will do. If network A is 192.168.1.x and B is 192.168.2.x, you would just need to configure a port on a new vlan on gateway A and give it an IP of 192.168.2.2. connect that port to gateway B. Then on gateway B add a static route for 192.168.1.x through 192.168.2.2"

I found an option to allocate a virtual IP to the router on the 7800DXL and setting up a static route on the 7800N linked the networks. However, although it worked for the most part, I found devices on Network A getting DHCP addresses from Network B etc, which is not desirable. I realise that using a virtual IP merged the two networks in a manner of speaking rather than routing between them.

In conclusion, does anybody know if I can use these routers to achieve my goals, or will I have to buy a third device to route between the networks?

Thanks

 

[sdifox]

You could just reserve IP by MAC on each of your subnets. Unless you have tons of clients it is the easiest thing to do.

 

[MrBill10]

My Edgerouter Lite does this by default. I had to implement firewall rules to prevent LAN 1 from seeing LAN 2.

 

[mv2devnull]

There is a need for five subnets:
Inet-A, Lan-A, AB, Inet-B, and Lan-B

Router A already connects to Inet-A and Lan-A. It has a DHCP that hands out addresses to members of Lan-A (both wired and wireless). A gets Inet-A IP address from ISP A's DHCP. The default route on A is via Inet-A.

Router B is similar.
Members of Lan-A know nothing about other subnets. They send everything to A.
Members of Lan-B know nothing about other subnets. They send everything to B.


The question is, can one isolate one "LAN-port" on both routers so that 1) it will not be part of Lan-A/B, 2) it will have a static IP address in subnet AB, and 3) DHCP will not serve on that port?

Router A would have a static route: "to Lan-B via B (i.e. AB subnet)"
Router B would have a static route: "to Lan-A via A (i.e. AB subnet)"
When Lan-A member sends something out, router A would either forward it to B (if destination is in Lan-B) or to Inet-A.
NAT is not required on the link.

If the ports are isolated and not switched, then traffic between subnets is routed (not "bridged") and DHCP broadcasts do not route (without a relay).

The specs of those Billions say that the LAN ports are "on a switch". Not isolated.
However, there is the VLAN-support. If a switch has two VLANs, with one port (only) on VLAN "AB" and other ports (only) on VLAN "Lan", then traffic between the VLANs requires routing.

 

[Fibre793]

Hey everybody, thanks for your replies.

You could just reserve IP by MAC on each of your subnets. Unless you have tons of clients it is the easiest thing to do.

I could also assign static IP addresses to all the clients. Unfortunately, as a person stated in the link I provided, DHCP is very useful in that it removes administration requirements for IP allocation to a large degree. There are quite a few devices on the network and more may be added outside of my control. It's unfortunately not a practical solution in this case.

My Edgerouter Lite does this by default. I had to implement firewall rules to prevent LAN 1 from seeing LAN 2.

Firewalling... hmm... This is an interesting idea I hadn't considered. I could write firewall rules to ensure that devices on either network could not see the DHCP server on the other. However, I do consider the idea I used to make it work using an IP alias on one of the routers to be a bit of a hack. I'd like to find a proper solution to make this work. But thanks, that's a good fallback position.

The question is, can one isolate one "LAN-port" on both routers so that 1) it will not be part of Lan-A/B, 2) it will have a static IP address in subnet AB, and 3) DHCP will not serve on that port?

Router A would have a static route: "to Lan-B via B (i.e. AB subnet)"
Router B would have a static route: "to Lan-A via A (i.e. AB subnet)"
When Lan-A member sends something out, router A would either forward it to B (if destination is in Lan-B) or to Inet-A.
NAT is not required on the link.

If the ports are isolated and not switched, then traffic between subnets is routed (not "bridged") and DHCP broadcasts do not route (without a relay).

The specs of those Billions say that the LAN ports are "on a switch". Not isolated.
However, there is the VLAN-support. If a switch has two VLANs, with one port (only) on VLAN "AB" and other ports (only) on VLAN "Lan", then traffic between the VLANs requires routing.

I must admit I'm a bit confused by this, I'm out of my depth somewhat.

I think what you're saying is that I should create a virtual subnet (we'll call it network C in this case), create a VLAN address on both routers on network C and then route connections between the two via network C. Is that right?

This might be wrong, but if traffic arrives from network A to network C, how will it know how to get to network B from C? The traffic will I assume by isolated by the VLAN. Or maybe I have no idea what I'm talking about lol.

Any help you could provide would be useful

Thanks

 

[sdifox]

Hey everybody, thanks for your replies.



I could also assign static IP addresses to all the clients. Unfortunately, as a person stated in the link I provided, DHCP is very useful in that it removes administration requirements for IP allocation to a large degree. There are quite a few devices on the network and more may be added outside of my control. It's unfortunately not a practical solution in this case.



Firewalling... hmm... This is an interesting idea I hadn't considered. I could write firewall rules to ensure that devices on either network could not see the DHCP server on the other. However, I do consider the idea I used to make it work using an IP alias on one of the routers to be a bit of a hack. I'd like to find a proper solution to make this work. But thanks, that's a good fallback position.



I must admit I'm a bit confused by this, I'm out of my depth somewhat.

I think what you're saying is that I should create a virtual subnet (we'll call it network C in this case), create a VLAN address on both routers on network C and then route connections between the two via network C. Is that right?

This might be wrong, but if traffic arrives from network A to network C, how will it know how to get to network B from C? The traffic will I assume by isolated by the VLAN. Or maybe I have no idea what I'm talking about lol.

Any help you could provide would be useful

Thanks

Then you can try ACL and deny udp 67 from passing through that port.

 

[Fibre793]

After fiddling around with the firewalling option, it proved much more difficult than expected. In fact, no firewalling attempt I made worked at all. Either no DHCP was assigned from either gateway or either one of them provided it.

The main issue seems to be the initial broadcast attempt by the client. Since we have no way of controlling which router responds to the broadcast DHCP request, it's impossible to firewall against it without doing it on the client itself (which is not feasible). The client will not have an address until assigned it by the DHCP server, so the network can't be segmented by IP address for this purpose.

I'm looking back into the VLAN approach. After some reading on port-based VLAN's, it seems they separate broadcast domains. If the routers are capable of routing the two networks (main and virtual) with a static route, it may work. But I'm not sure if it will or not without trying it.

I'll get back to you all on that.

 

[Fibre793]

As a final message, after reading more into VLAN's and understanding more of what mv2devnull said, I tried to implement his approach.

However, it seems the Billion routers I have do not support the allocation of an IP address to VLAN's and so I could not ultimately figure out how to route the data between the two network without introducing a third piece of equipment. After much fiddling, I actually managed to lock myself out of one router and had to factory reset.

I don't think this kind of setup is possible with the Billion routers I have. So I'll either abandon the concept or bring in a third piece of equipment to achieve this.

Thanks to all of you for your help.

 

[MrBill10]

One EdgeRouter Lite will do what you want: provide 2 LANs each with their own DHCP and give you the ability to manage traffic between them as required.