I have 2 subnets : Main subnet : 10.0.0.0/24 Remote office subnet 10.0.1.0/24
There are 2 routers connected to the Main subnet :
- 1 that connects 10.0.0.0/24 to 10.0.1.0/24 with ip of 10.0.0.253
- 1 that connects 10.0.0.0/24 to the internet with ip of 10.0.0.254
If the default gateway on all machines in the Main subnet is 10.0.0.254 How can I route properly my traffic without having to create a persistent route on all my machines in the 10.0.0.0/24 subnet for the
You are right it will be a mess. Unfortunately those people who are setting up the Remote offices want me to set things up this way. I am trying to find a way to prove them that there should be a better one.
You can but as ghett0 already mentioned, this wouldn't result in real routing but rather in ICMP redirects. I had a similar setup and in my experience, this doensn't work reliably cause not all clients handle the redirects properly.
But anyway, it's an interesting thing. How is this defined? If the remote end of the static route is in the same subnet as the source address an ICMP redirect is sent back?
Now that I see what you're trying to do, I'd suggest that you see if your MPLS vendor will let you connect the local switch at your "Main" location directly to the IAD. The IAD 2431 looks like it supports two fast ethernet interfaces. You could drop your local "Main" workstations into the IAD, and it would send traffic destined for the remote location directly to the MPLS cloud. Otherwise, the IAD could send Internet-bound traffic directly to the Fortigate. Check with your provider and see if they'll work with you on this.
Another option would be to enable routing capability into your "Main" switch. The idea here, again, is that you put your workstations into their own subnet so that those end points don't have to have specific routing information or rely in ICMP redirects. Enabling a routing function on that switch could address this.
I guess it comes down to if your comfortable having the MPLS provider treat your "Main" location as just another stub network. Also, how much "control" do you want in terms of handing off traffic to the remote sites and the Internet.
As you said, I am really not comfortable having the MPLS provider be in front of my firewall and route my internet traffic, I would lose too much control. And I'm worried that if I need something done someday they will take forever to fix it.
I kind of see the idea of that solution. The issue is that our switches do not have routing capabilities. ( By the way is it what a Layer 3 switch is ? )
Thanks for all your advices.
Now, in order to keep reasonable control of my traffic, do you think that
is technically doable ? The fortigate firewall is also a router. It has 3 interfaces :
- WAN1 connected to Iquest router ( xxx.xxx.xxx.129/27 );
- WAN2 connected to Nuvox router ( 10.0.3.0/30 ),
- LAN1 connected to Main office subnet ( 10.0.0.0/24 )
If I would just create routes on the fortigate to route traffic from 10.0.0.0/24 to xxx.xxx.xxx.129/27 for internet access to WAN1 and from 10.0.0.0/24 to 10.0.3.0/30 for 10.0.1.0/24 to WAN2
Sounds reasonable. But if you now have a triple-interface firewall, depending on what kind the link to 10.0.1.0/24 is, you could omit the transfer network. Or is it a kind of connection only the former 10.0.0.253 can handle?
Yes the Cisco 2431 needs to be there, it handles the connection through the MPLS traffic with a specific card ( It also manages the VOIP system routing ). So basically I cannot get rid of this "extra" router.