1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Willing to offer serious network advice? (frustrated w/RV082

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by tadr, Mar 25, 2006.

  1. tadr

    tadr Network Guru Member

    What I tried:
    Linksys RV082 behind a Hotbrick Firewall performing NAT, where the RV082 was supposed to subdivide the network into an IT portion, and allow VPN access to that IT portion. I was unable to configure the RV082 to work behind the Hotbrick (even in the DMZ), although it works fine when connected straight to our DSL line.

    What I'm trying to set up:

    1. Dual Internet Connections,
    a DSL Line --> DSL Router (bridge mode)
    b Cable Modem Line --> Cable Modem Router/switch (performing NAT)

    2. A load balancing/failover firewall to handle the dual connections

    3. Two subnetworks behind the main firewall (physically wired separately, separate switches, etc)

    A. Administrative/office computers
    Subnet A should NOT be able to talk to any of the devices in B.
    Subnet A should have internet access
    Subnet A can use either the DHCP server from a hardware firewall, or a dedicated DNS/DHCP box (we actually already have one setup for just subnet A, but I'd rather get away from it and use the DHCP server from a hardware firewall).

    B. IT computers
    Subnet B should be able to talk to any devices in A.
    Subnet B should have internet access.
    Subnet B must use a linux DNS/DHCP box that we have already setup.

    4. We must have the ability to VPN into the nework. Ideally, this would consist of some VPN users being able to access subnet A and some subnet B. Access to subnet B is required at a minimum.


    I have the following equipment:

    Linksys RV082 (does VPN, but doesn't seem to work with a private IP behind a firewall performing NAT, even when it is in the DMZ). This unit also supports dual WAN. I would like to use this as our VPN server.

    Hotbrick LB-2. This firewall supports dual WAN. It can stay or go in the configuration.

    Several Gigabit switches for the subnetwork

    A few linksys cable modem routers previously used to sub-divide the network in a very hack-ish configuration that we need to get away from.


    What I would like:

    A description of a configuration that meets the requirements above, hopefully utilizing just the RV082. I have struggled and struggled with setting up the RV082 behind the Hotbrick (main firewall) in order to sub-divide the IT portion of the network, but VPN just doesn't work in this configuration. If necessary, I can buy another RV082. I am also open to other suggestions, but I definitely don't want to setup a dedicated VPN server-computer, nor am I willing to compromise much on the requirements.

    Thanks for your help, it's been painful trying to figure this out for the past week.
     
  2. bluebox

    bluebox Network Guru Member

  3. tadr

    tadr Network Guru Member

  4. Toxic

    Toxic Administrator Staff Member

    If i am not mistaken, your DSL and Cable should go onto WAN1 and WAN2 ports.

    To keep A from B put them in different VLAN configurations. in port management. VLAN1= A subnet VLAN2 = B Subnet.


    then I guess all you need is to setup different Tunnels for different users/clients/subnets in VPN setup.

    the RV042 should be able to meet your requirements tbh.

    you may not be able to use two subnets, but VLANs should do the same thing ie split the IT and admin users apart.
     
  5. tadr

    tadr Network Guru Member

    This was exactly my plan. Unfortunately, however, the Linksys doesn't allow rules to be created where VLAN1 and VLAN2 are the source/destination. I need to be able to communicate from the IT network TO the office network, but not vice versa. If I split the network up into port based VLANs, which would be quite nice and easy, I don't think I can do this.
     
  6. Toxic

    Toxic Administrator Staff Member

    btw you may also be able to use RIP Routing (Advanced routing).

    what mode do you have the RV042 in? Gateway or Router mode?
     
  7. Toxic

    Toxic Administrator Staff Member

    you maybe could set access rules (in Firewall) for IT to office but not the other way round.

    unfortunately i dont have one of these babies to play with, just the setup pages here: http://www.linksysdata.com/ui/RV082/1.1.6.14/
     
  8. tadr

    tadr Network Guru Member

    I had originally tried connecting each port to a separate subnet and setting the following rules:
    Denied DHCP traffic from 0.0.0.0-255.255.255.255 (to have a separate DHCP server on each port, and not let them interfere)
    Allow 192.168.10.0 (IT) to 192.168.1.0 (admin)
    Deny 192.168.1.0 (admin) to 192.168.10.0 (IT)

    The IP of the RV082 was set to 192.168.99.1

    I then connected two machines to the RV082 on port 1 and port 2 and gave them each an IP address (192.168.1.100 and 192.168.10.100), using the RV082 192.168.99.1 as the default gateway. For some reason, however, I was unable to either login to the RV082 or access the internet in this configuration. I suspect it's because I gave the machines IPs in a different subnet from the device IP of the RV082, but I'm not sure how to get around this. I tried changing the subnet mask on the client PCs to 255.255.0.0 with no change.



    I tried two different setups:
    1. RV082 connected to the dual WAN. Here, it was in Gateway mode. I couldn't figure out how to subdivide doing it this way.

    2. RV082 connected behind our Hotbrick dual WAN firewall. Subdivision works (the RV082 thinks the main network is the internet, and creates a new private network for IT). Problem with this is that the VPN doesn't seem to work when the RV082 has a private IP and is behind a NAT firewall. I tried the device in both router and gateway mode.

    I don't know much about setting static routes or RIP, is there something I should try?
     
  9. Toxic

    Toxic Administrator Staff Member

    how many PCs are we talking about?

    IT = ?

    Office = ?
     
  10. Toxic

    Toxic Administrator Staff Member

    This would be how i would do it, if it is possible.

    this is an example only since i dont know all th amount of PC's

    Set Static IPs for all IT Computers: 192.168.1.10 - 192.168.1.25

    If possible set DHCP server to assign IPs from: 192.168.100 - 192.168.1.200

    this will the make ALL office computers have dynamically assigned IPs.

    that should work, if not then Set Static IPs for all Office computer: 192.168.1.100 - 192.168.1.200

    BTW use the Static IP entry block in DHCP settings. you'll need to know all MAC addresses however.

    once you have done that you can setup firewall rules.

    like so:

    [​IMG]

    this allows access from IT to Office.

    [​IMG]

    This denies Office to IT.

    dont know if this is acceptable for you, but it may help.
     
  11. tadr

    tadr Network Guru Member

    We have about 100 IT systems and 30 office systems. Unfortunately, both sides need to continue to use DHCP. Our phone system is actually IP based, and all of the phones get their IPs via DHCP. The office side can either use the dhcp server on the firewall, or the phone server itself can run as a DHCP server (our current setup). The IT side has it's own linux dhcp/dns box.
     

Share This Page