I need to connect two buildings via a wireless bridge, while keeping the existing wired VPN connection between them in place (yes, creating a loop). I need both connections in place so that in case of a failure on one the other may pick-up the traffic. The wired VPN link is in place and working; two firewall/VPN appliances acting as gateway at the internet connection in each building facilitates this. I have installed and tested the wireless bridge to the point that I know it is able to reliably send packets back and forth between the two buildings. Now I need to connect this bridge into the networks at each building so it can be used for traffic. The internal networks at each site are different subnets (192.168.1.0/24 and 192.168.2.0/24). What would be the best approach to accomplish this?
It's not a loop. It's two routes to the same IP block. It's exactly analogous to installing two ethernet cards in your PC, plugging both into a switch, and then trying to load balance the traffic (or switch the traffic) between them. If you have a Windoze laptop with both wired and wireless connection, the selection of route is done automatically using the "metric" value in the IPCONFIG command. See: |
formatting link
some hints.
Are you trying to use both at the same time? If not, there are protocols for switching the router on failure such as RIP. If yes, there are load balancing routers:
formatting link
formatting link
can distribute the load between the two routes.
Maker and model of the firewall/VPN appliances?
Maker and model of the wireless bridges?
When you say "redundant VPN", does this mean that you have a VPN running over the wireless bridge?
That depends if you want to have both paths distribute the traffic or if you want to just use the wireless as a backup. My guess(tm) is that the bandwidth of the wireless is much higher than your (telco???) wired connection and should be considered the primary path, not the backup. If there's more than about a 10:1 ratio in available bandwidth, I wouldn't bother trying to load balance the two routes. If they're equal, then load balancing makes sense.
Fail over is easy enough. If the VPN routers being used for both the wireless and wired connections can do RIP-2, then simply assign a "cost" to the path and the routers will do the rest. Some model routers also have built in fail over features.
I'm not sure how I would impliment load balancing. Probably with a dedicated load balancing router. However, I couldn't find one that also can play VPN router. This may take two boxes which seems a bit too complicated. Dunno.
I don't need to use both simultaneously; I just need to keep both in place so that in the event of failure a connection will be maintained. You are correct that the Wireless has much higher bandwidth than the current wired VPN link; hence I would like to make the wireless the new primary connection, and have the wired VPN be the secondary.
Currently I have a Firebox X700 at one site and a Linksys BEFVP41 at the other. These are functioning perfectly as far as being the internet gateway and VPN termination points for each network.
Yes, it is necasary to run the wireless connection through a VPN tunnel as well due to a need for high security. We are using WPA as well between the two wireless bridge devices.
The wireless bridge devices are TrendNet TEW-413APBO, connected to
14dbi directional antennas (TEW-OA14DK). The wireless connection is working well over a roughly 3000 foot distance with line of sight.
In summary, I don't need need load balancing, simply two paths so that connections can fail over in the event of any problems on one or the other. Somehow configuring the system so that the wireless bridge can pass packets between the two different IP networks. And the ability to have a gateway to gateway style VPN tunnel encapsulating all data going across the wireless connection.
~ >Now I need to connect this bridge into the networks at each building ~ >so it can be used for traffic. The internal networks at each site are ~ >different subnets (192.168.1.0/24 and 192.168.2.0/24). What would be ~ >the best approach to accomplish this? ~ ~ That depends if you want to have both paths distribute the traffic or ~ if you want to just use the wireless as a backup. My guess(tm) is ~ that the bandwidth of the wireless is much higher than your (telco???) ~ wired connection and should be considered the primary path, not the ~ backup. If there's more than about a 10:1 ratio in available ~ bandwidth, I wouldn't bother trying to load balance the two routes. If ~ they're equal, then load balancing makes sense. ~ ~ Fail over is easy enough. If the VPN routers being used for both the ~ wireless and wired connections can do RIP-2, then simply assign a ~ "cost" to the path and the routers will do the rest. Some model ~ routers also have built in fail over features. ~ ~ I'm not sure how I would impliment load balancing. Probably with a ~ dedicated load balancing router. However, I couldn't find one that ~ also can play VPN router. This may take two boxes which seems a bit ~ too complicated. Dunno.
Cisco routers could handle this. With a mindboggling variety of methods and options. Very likely you would see some useful suggestions for how best to do this at comp.dcom.sys.cisco.
The Firebox X700 supports BGP, OSPF, and RIP-2. The BEFVP41 supports RIP-1 and RIP-2. So far so good.
formatting link
routing protocols supported because these are a wireless bridge, not a router. So, where are the VPN router on the wireless link? You said: "... it is necessary to run the wireless connection through a VPN tunnel" That requires VPN routers. Maker and model?
I presume automatic fail over, not manually switched.
Think about the above statement a bit. IP networks work on ISO layer
Wireless bridges work on ISO layer 2 and know NOTHING about IP addresses.
Well, that will take two VPN routers. Maker and model?
If the (added) VPN routers on the wireless link support RIP-2, you're done. Just configure RIP-2 in all your routers and you get something like fail over. It changes the default route depending on the number of hops to the gateway.
I tried to find some general info on dynamic routing and RIP-2 but couldn't find anything directly applicable. I've never tried fail-over with RIP through two VPN's so I have this nagging feeling I'm missing something.
Thank you for your assistance. It sounds like what I am missing is the two additonal routers which would connect to each of the wireless bridge devices.
Once I connect these two additonal devices, how would I configure them from an IP view point? Would I connect one side of each to an IP on the local wired network and then the other side to a new network, like
192.168.3.0/24, which would include these two new routers and the wireless bridge devices? Then I configure the VPN tunnels to point to the IP on the "wired side" of each of these routers? With the default gateways on the client machines pointing to the existing routers (the internet gateways), how will they know that a second (and less costly) route to the other internal network exists? Is this where the magic of RIP-2 comes in?
Sorry for my confusion on the ISO layers; I should have realized the fact that the bridge devices don't care about IPs, hence the reason I need the two additional routers so that routing can occur between the two seperate IP networks.
As far as RIP-2, if anyone knows what configuration may be required I would apreciate the info. The linksys box has a control that must be selected defining wether its Dynamic Routing is in "gateway" or "router" mode...? The watchgaurd has the ability to include some kind of configuration file for RIP; I will try to dig through my documentation more to further understand this.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.