Isolate network traffic with extra router?

JohnCleary

Scenario:

Building 1: Own router and Internet gateway: 192.168.1.0 / 24
Router is acting as DHCP for network in Building 1, which is connected to Netgear managed switch

Wireless P2P between buildings: 192.168.2.0 / 24

Building 2: Own router, using router in building 1 as internet gateway: 192.168.3.0 / 24
Router is acting as DHCP for network in Building 2, which is connected to Netgear managed switch

Both buildings need to have full communication / connectivity. The issue is that Building 2 creates a lot of internal traffic (scanning / printing etc.) so that's why a separate router was installed in Building 2, to try and isolate internal traffic when internal routing going on, but to still have full connectivity to Building 1. I did not install this router, but after performing some checks, it appears that all traffic is still being router through router in Building 1.

As I did not configure this, I am not certain (yet) what's going on.

Is it possible to isolate internal traffic in Building 2 to the router in Building 2, hence no traffic going over the P2P Wireless link, but still have full connectivity for internet / file sharing etc?

ED E

So what you're asking is to limit LAN to LAN traffic across the P2P but allow LAN to WAN to pass?

To do so is pretty simple but will totally depend on what hardware you're using. Probably the most basic method would be to add a dead static route to .1.0/24 in R2 so hosts on .3.0/24 cant reach them.

gctest50

How many PCs, printers/scanners in Building 1 ?


How many PCs, printers/scanners in Building 2 ?

Cuddlesworth

JohnCleary wrote: »

Is it possible to isolate internal traffic in Building 2 to the router in Building 2, hence no traffic going over the P2P Wireless link, but still have full connectivity for internet / file sharing etc?

Unless I'm missing something, you can't isolate Building 2 without loosing all connectivity to the internet.

Your connectivity to the outside world is in Building 1, Building 2 has to route through Building 1 for most things.

JohnCleary

Building 1: Approx 15 PC's / 15 big printers & scanners / NAS / CCTV (DVR)

Building 2: Approx 10 PC's / 10 big printers & scanners / NAS

Each NAS backs up to each other NAS nightly (need to double check, but this is what they want)

Routers in each location are: Zyxel SBG3300

Internet in Building 1: UPC EPC3925 in bridge mode, the Zyxel router doing DHCP etc.

Cuddlesworth

JohnCleary wrote: »

Building 1: Approx 15 PC's / 15 big printers & scanners / NAS / CCTV (DVR)

Building 2: Approx 10 PC's / 10 big printers & scanners / NAS

Each NAS backs up to each other NAS nightly (need to double check, but this is what they want)

Routers in each location are: Zyxel SBG3300

Internet in Building 1: UPC EPC3925 in bridge mode, the Zyxel router doing DHCP etc.

Then any traffic being sent to Building 1 is being sent there for a specific reason. Blocking it will only break things.

JohnCleary

Cuddlesworth wrote: »

Then any traffic being sent to Building 1 is being sent there for a specific reason. Blocking it will only break things.

I'll test the network when I get a chance. I know the NAS / Internet traffic must go via Building 1, I am trying to see if it's possible to keep the print / scan jobs 'in house' in Building 2.

gctest50

What distance between the two building ?

Cuddlesworth

JohnCleary wrote: »

I'll test the network when I get a chance. I know the NAS / Internet traffic must go via Building 1, I am trying to see if it's possible to keep the print / scan jobs 'in house' in Building 2.

Where exactly is the problem here? If scan/print jobs are leaving the subnet then there is a reason for it. And unless your a document scanning company or a print shop, its unrealistic for internal scan/print jobs to be causing issues.

JohnCleary

The distance is only about 100m.

Currently 100Mbit P2P Wireless connection, upgrading this to 150Mbit next week.

The issue is that the print jobs can be big (500Mb) and I don't want the wireless being throttled. I'm hoping to isolate the internal in traffic within Building 2 to Building 2.

Time for me to take out the Cisco notes. I've done this in the past, just can't remember!

gctest50

Could you run fibre between the two buildings ?

( and keep the existing wireless as backup )

More secure , much faster etc

Cuddlesworth

JohnCleary wrote: »

The distance is only about 100m.

Currently 100Mbit P2P Wireless connection, upgrading this to 150Mbit next week.

The issue is that the print jobs can be big (500Mb) and I don't want the wireless being throttled. I'm hoping to isolate the internal in traffic within Building 2 to Building 2.

Time for me to take out the Cisco notes. I've done this in the past, just can't remember!

A 500MB print job would take around 30 seconds to transfer with a 150mb pt-pt connection. Besides, I don't think your getting my point. If there is traffic in site B, that is routing to site A, its heading there for a specific reason. By blocking the traffic from 1 subnet to the other, you will break things like printing, NAS backups, fileshares, IM's or any other internal communication.

Whats the problem here? Is it that the internet is slow in Building B?

JohnCleary

gctest50 wrote: »

Could you run fibre between the two buildings ?

( and keep the existing wireless as backup )

More secure , much faster etc

I wish (The answer is 'no)

Cuddlesworth wrote: »

A 500MB print job would take around 30 seconds to transfer with a 150mb pt-pt connection. Besides, I don't think your getting my point. If there is traffic in site B, that is routing to site A, its heading there for a specific reason. By blocking the traffic from 1 subnet to the other, you will break things like printing, NAS backups, fileshares, IM's or any other internal communication.

Whats the problem here? Is it that the internet is slow in Building B?

Yes, slow. However, I suspect it's the wireless hardware... will investigate this during the week and report back.

Thanks for the help.

liamo

Cuddlesworth has it spot on.

I think that the following statements need clarification

after performing some checks, it appears that all traffic is still being router through router in Building 1

What checks? What traffic? Why do you say it appears so?

Is it possible to isolate internal traffic in Building 2 to the router in Building 2

As per Cuddlesworth's post, traffic from Building2 that is not specifically destined for Building1 shouldn't appear on B1's LAN. Therefore, I would suggest that the traffic should be there unless it can be demonstrated otherwise.

Cuddlesworth wrote: »

I don't think your getting my point. If there is traffic in site B, that is routing to site A, its heading there for a specific reason. By blocking the traffic from 1 subnet to the other, you will break things like printing, NAS backups, fileshares, IM's or any other internal communication.?

ED E

As above, traffic from client to printer has no reason to transit the link to hit the gateway unless there is a print server in site A spooling the jobs.

Cuddlesworth

JohnCleary wrote: »

I wish (The answer is 'no)


Yes, slow. However, I suspect it's the wireless hardware... will investigate this during the week and report back.

Thanks for the help.

Wireless advertised speeds are a theoretical maximum. Odds are your getting far less then what you think. You can use a tool like iperf/jperf/iperf3 to get a handle on actual speeds. Just keep in mind, even that is a ideal circumstance and real world speeds will be slower again because wireless is half duplex.

The best long term option here is to upgrade the link to a better equipment/speeds. Outdoors wifi is not my thing though.

mass_debater

What wireless gear are they upgrading to?

darth_maul

You need a better ptp link than 150mb, look up the ubnt airfibre range those can pull serious bandwidth, you would need to seriously throttle back power for your distance but speeds are huge,
Ubiquiti (ubnt) also do other stuff that are much faster than 150. Check out ubnt.com,

p.s. stay away from 2.4ghz.
5ghz or 24ghz only for ptp.

Also outdoor wireless is very specialised and can be very tempermantal if installed incorrectly,
Advise getting a specialist involved that will do a proper site scan and provision and monitor link properly.