Client is opening a second location several towns, special machine needs to talk to partner.

Dan · Mar 2, 2017

Need some networking help / suggestions / tips / direction. This is a bit out of my league but I figured I'd reach out to you guys.

Two locations...
Location one has a DSL modem/router combo.
Location two has a cable modem with a static IP.
There is a machine at location 2 that needs to communicate with another "main" machine in location 1. The only way it can do that is by typing in the main machine's IP address. Typically these machines are in the same building and on the same network so this would not be a problem. However, they are now in two separate buildings many towns away.

Basically I need the network at location 1 and the network at location 2 to be connected somehow and have the same IP structure as if they are on the same network together. When typing in an IP address into the machine in location 2 it thinks it is in the same building as location 1 and can easily ping and communicate with the main machine.

Does that make sense? How can something like this be accomplished? Any help is much appreciated.

modi123 · Mar 2, 2017

Wouldn't a VPN of sorts take care of that? Probably a 'site to site'.
http://computer.howstuffworks.com/vpn4.htm

BlueLineSwinger · Mar 2, 2017

Yeah, a site-to-site VPN would be the simplest answer. There are other possible options, such as leased lines or (assuming line-of-sight is possible) wireless links.

Note, however, that no proper solution will put both sites on the same IP subnet. They will be on different subnets, but the VPN will allow each to communicate directly as if they were linked by a single router and no NAT/etc. between them.

SJConsultant · Mar 2, 2017

Dan said:
Need some networking help / suggestions / tips / direction. This is a bit out of my league but I figured I'd reach out to you guys.

Two locations...
Location one has a DSL modem/router combo.
Location two has a cable modem with a static IP.
There is a machine at location 2 that needs to communicate with another "main" machine in location 1. The only way it can do that is by typing in the main machine's IP address. Typically these machines are in the same building and on the same network so this would not be a problem. However, they are now in two separate buildings many towns away.

Basically I need the network at location 1 and the network at location 2 to be connected somehow and have the same IP structure as if they are on the same network together. When typing in an IP address into the machine in location 2 it thinks it is in the same building as location 1 and can easily ping and communicate with the main machine.

Does that make sense? How can something like this be accomplished? Any help is much appreciated.

What is preventing the use of a different subnet? e.g. Site 1 uses 192.168.1.1/24 while site 2 uses 192.168.2.1/24

There are solutions that will make remote networks appear as though they are in the same physical space, but it is not without its own issues.

Cmustang87 · Mar 2, 2017

I would recommend configuring an IPSec VPN between the two sites. Each location has its own internet connection and LAN subnet, but there would be an encryption domain between the two WAN links at the sites. The router will know that any traffic going to the other location's subnet to route it through the VPN tunnel. This would be configured on your firewall/routers that connects to your WAN.

Dan · Mar 7, 2017

SJConsultant said:
What is preventing the use of a different subnet? e.g. Site 1 uses 192.168.1.1/24 while site 2 uses 192.168.2.1/24

There are solutions that will make remote networks appear as though they are in the same physical space, but it is not without its own issues.

I think you might be on to something... I'm going to check if they can be on different subnets but it sounds like it should be OK if the machine can easily ping the other location with just an IP address. If that's the case, what equipment do I need to install at each location? Keep in mind I'm not incredibly skilled at this sort of thing. Feel free to explain it like I'm a toddler.

Dan · Mar 7, 2017

BlueLineSwinger said:
Yeah, a site-to-site VPN would be the simplest answer. There are other possible options, such as leased lines or (assuming line-of-sight is possible) wireless links.

Note, however, that no proper solution will put both sites on the same IP subnet. They will be on different subnets, but the VPN will allow each to communicate directly as if they were linked by a single router and no NAT/etc. between them.

LoS is impossible. Not in the same town.

SJConsultant · Mar 7, 2017

Dan said:
I think you might be on to something... I'm going to check if they can be on different subnets but it sounds like it should be OK if the machine can easily ping the other location with just an IP address. If that's the case, what equipment do I need to install at each location? Keep in mind I'm not incredibly skilled at this sort of thing. Feel free to explain it like I'm a toddler.

Basically you need firewall/routers at each location that is capable of IPSEC VPN and each location needs to be on a different subnet (e.g. Site 1 is 192.168.0.0/24 while Site 2 is 192.168.1.0/24). From there it is a matter of configuring the site to site VPN which depends on the make/model of the firewall router. Once you can establish the site to site VPN and can successfully ping both ways, you should be able to have any device talk to any other device on the network.

I can't really break things down more specific without knowing more details about the networks and what equipment you are working with.

Dan · Mar 7, 2017

SJConsultant said:
Basically you need firewall/routers at each location that is capable of IPSEC VPN and each location needs to be on a different subnet (e.g. Site 1 is 192.168.0.0/24 while Site 2 is 192.168.1.0/24). From there it is a matter of configuring the site to site VPN which depends on the make/model of the firewall router. Once you can establish the site to site VPN and can successfully ping both ways, you should be able to have any device talk to any other device on the network.

I can't really break things down more specific without knowing more details about the networks and what equipment you are working with.

So far that makes sense. As far as more details on the networks and equipment... there is none. One location just has a cable modem with a static IP no router or anything yet... the other location just has a DSL modem/router combo (which I might convince them to switch to a static IP cable modem if it makes this easier). I'm trying to figure out what equipment to buy. Any suggestions?

SJConsultant · Mar 7, 2017

Dan said:
So far that makes sense. As far as more details on the networks and equipment... there is none. One location just has a cable modem with a static IP no router or anything yet... the other location just has a DSL modem/router combo (which I might convince them to switch to a static IP cable modem if it makes this easier). I'm trying to figure out what equipment to buy. Any suggestions?

Well for starters, two new firewall/vpn appliances......Static IPs will certainly make your life & your customer's life a lot easier as you will not have to setup dynamic DNS services or be concerned with the IP changing. As for equipment suggestions, most of my experience is in Palo Alto and Juniper so either one will most likely be out of budget. Last independent consulting gig I did about 8 years ago I installed a pair of Zyxel firewalls for a sand plant and they are still using them to this day. I've seen Ubiquiti and Fortigate's being recommended on these forums, but I have no direct experience with those products.

Dan · Mar 8, 2017

SJConsultant said:
Well for starters, two new firewall/vpn appliances......Static IPs will certainly make your life & your customer's life a lot easier as you will not have to setup dynamic DNS services or be concerned with the IP changing. As for equipment suggestions, most of my experience is in Palo Alto and Juniper so either one will most likely be out of budget. Last independent consulting gig I did about 8 years ago I installed a pair of Zyxel firewalls for a sand plant and they are still using them to this day. I've seen Ubiquiti and Fortigate's being recommended on these forums, but I have no direct experience with those products.

So I'd need static IPs in both spots ideally and two routers capable of IPSec VPN connections. Since you're "sorta" familiar with Zyxel would a Zyxel Zywall 110 do the trick? Its seems a bit overkill with the ports considering only one thing will be plugged into it but I'm more concerned with just getting it done at this point (also ease of setup is a concern as well for obvious reasons).

SJConsultant · Mar 8, 2017

Zywall 110 would be more than adequate. When I initially run into setup issues with setting up the site to site VPN, I called into their support and had the issue resolved in under 30 minutes so back then my one and only experience with their support was pretty damn good.

Cmustang87 · Mar 8, 2017

I'll throw in an alternative opinion and say that a Fortigate 30E or a 50E would also be a great box for this type of scenario. I'm not saying the Zywall is a bad product, but I'd take the Fortigate over it 10 times out of 10.

Datasheets -

30E - https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_FortiWiFi_30E.pdf
50E - https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiGate_FortiWiFi_50E_Series.pdf

Basically your setup would be pretty straightforward

Call the ISPs at both branches and order a static IP address
Configure the two firewalls behind the modems for the static WAN IP
Give each internal network a unique IP address scheme (eg. 192.168.1.0/24 at Site A, 192.168.2.0/24 at Site B)
Create the IPSec tunnels/gateway rules on each firewall
Create the firewal rules to permit LAN traffic to the IPSec tunnel, and their reflexive policies

Fortinet's website has a great write up on IPSec VPN with the FortiOS between two firewalls:

http://cookbook.fortinet.com/site-to-site-ipsec-vpn-with-two-fortigates-5-4/

Grentz · Mar 10, 2017

Ubiquiti Edgerouter Lite is another option. Simple to configure as a router as well as the site to site vpn.

goodcooper · Mar 12, 2017

BlueLineSwinger said:
Yeah, a site-to-site VPN would be the simplest answer. There are other possible options, such as leased lines or (assuming line-of-sight is possible) wireless links.

Note, however, that no proper solution will put both sites on the same IP subnet. They will be on different subnets, but the VPN will allow each to communicate directly as if they were linked by a single router and no NAT/etc. between them.

i wouldn't say that...

there's nothing preventing you from extending the layer 2 network through a WAN tunnel if you desired...

best practice? no... but i wouldn't call it an improper solution if there really was a need for it (i highly doubt there is)

regardless, OP should likely seek professional help...

Client is opening a second location several towns, special machine needs to talk to partner.

Dan

Supreme [H]ardness

modi123

Supreme [H]ardness

BlueLineSwinger

[H]ard|Gawd

SJConsultant

2[H]4U

Cmustang87

Supreme [H]ardness

Dan

Supreme [H]ardness

Dan

Supreme [H]ardness

SJConsultant

2[H]4U

Dan

Supreme [H]ardness

SJConsultant

2[H]4U

Dan

Supreme [H]ardness

SJConsultant

2[H]4U

Cmustang87

Supreme [H]ardness

Grentz

Fully [H]

goodcooper

[H]F Junkie