EdgeRouter routing
-
Here is basically what the old configuration looked like:
-
This is what I have now:
-
Basically I plugged the Edge router in where the computer was plugged in and statically assigned the IP address to Eth3 on the ER. The cisco router that Corp supplied must have a site to site VPN running since 10.66.1.100 is a private address.
-
@mike-davis said in EdgeRouter routing:
Basically I plugged the Edge router in where the computer was plugged in and statically assigned the IP address to Eth3 on the ER. The cisco router that Corp supplied must have a site to site VPN running since 10.66.1.100 is a private address.
This is not how any of this works.
-
@dashrender said in EdgeRouter routing:
Do you not have an option for setting up a VPN connection to this 10.66.1.100 device from within the new network?
Probably could, but the way it was Corp was connecting in and messing with their machines so they don't want to have a wide open connection.
-
@mike-davis said in EdgeRouter routing:
@dashrender said in EdgeRouter routing:
Do you not have an option for setting up a VPN connection to this 10.66.1.100 device from within the new network?
Probably could, but the way it was Corp was connecting in and messing with their machines so they don't want to have a wide open connection.
You setup a rule in the ERL to only allow connectivity to/from the IP of the specific server that you need access to.
-
@mike-davis said in EdgeRouter routing:
@dashrender said in EdgeRouter routing:
Do you not have an option for setting up a VPN connection to this 10.66.1.100 device from within the new network?
Probably could, but the way it was Corp was connecting in and messing with their machines so they don't want to have a wide open connection.
Unless this is legally an entire separate entity, corporate SHOULD be doing that.
-
From your diagram, it's likely that server 10.66.1.100 has no idea how to get back to 10.1.62.20. You need to give it a route to Corp Cisco router for network/node 10.1.62.20 and the corp cisco router needs a route also to network/node 10.1.62.20.
-
@jaredbusch said in EdgeRouter routing:
Unless this is legally an entire separate entity, corporate SHOULD be doing that.
It's a Dr has her own practice, but consults for them. Other specialists in the building are owned by corporate, so when it came to connectivity, they just plugged her in to their LAN. It made it easy to connect to their server, but other things are a real pain because they don't own her equipment etc.
-
@dashrender said in EdgeRouter routing:
From your diagram, it's likely that server 10.66.1.100 has no idea how to get back to 10.1.62.20. You need to give it a route to Corp Cisco router for network/node 10.1.62.20 and the corp cisco router needs a route also to network/node 10.1.62.20.
When the laptop is plugged in where the ER is, it has no problem connecting.
-
@mike-davis said in EdgeRouter routing:
@dashrender said in EdgeRouter routing:
From your diagram, it's likely that server 10.66.1.100 has no idea how to get back to 10.1.62.20. You need to give it a route to Corp Cisco router for network/node 10.1.62.20 and the corp cisco router needs a route also to network/node 10.1.62.20.
When the laptop is plugged in where the ER is, it has no problem connecting.
Sure, because that new network you created behind the EdgeRouter isn't in the middle, but you've introduced a new network behind another network. So the far side (10.66.1.100) has no idea that the 10.1.62.1 network exists, so it doesn't know how to get there. The same is true of the Cisco Router. it's unaware that you've put a new network in place behind the 192.168.61.1 network (again, namely the 10.1.62.20 network).
-
Since 10.1.62.x is NATed behind the ER how would the other networks know about it?
Wouldn't they only need to get back to 192.168.62.20 ? -
@mike-davis said in EdgeRouter routing:
Since 10.1.62.x is NATed behind the ER how would the other networks know about it?
Wouldn't they only need to get back to 192.168.62.20 ?I think that partially answers my question. I'm not NATing eth3 yet....
-
creating a masq for eth3 automatically created a static route for 192.168.62.0/24, and then I added a couple of more routes, but something isn't right because my ping from the windows box looks like this:
Reply from 10.1.62.1: Destination host unreachable. Reply from 10.1.62.1: Destination host unreachable. Reply from 10.1.62.1: Destination host unreachable. Reply from 10.66.1.100: bytes=32 time=1ms TTL=61 Reply from 10.66.1.100: bytes=32 time=2ms TTL=61 Reply from 10.66.1.100: bytes=32 time=2ms TTL=61 Reply from 10.66.1.100: bytes=32 time=2ms TTL=61 Reply from 10.66.1.100: bytes=32 time=1ms TTL=61 Reply from 10.66.1.100: bytes=32 time=2ms TTL=61 Reply from 10.1.62.1: Destination host unreachable. Reply from 10.66.1.100: bytes=32 time=1ms TTL=61 Reply from 10.66.1.100: bytes=32 time=2ms TTL=61 Reply from 10.1.62.1: Destination host unreachable. Reply from 10.66.1.100: bytes=32 time=1ms TTL=61 Request timed out. Reply from 10.66.1.100: bytes=32 time=1ms TTL=61 Reply from 10.1.62.1: Destination host unreachable. Reply from 10.66.1.100: bytes=32 time=1ms TTL=61 Reply from 10.66.1.100: bytes=32 time=2ms TTL=61 Reply from 10.1.62.1: Destination host unreachable. Reply from 10.1.62.1: Destination host unreachable. Reply from 10.1.62.1: Destination host unreachable. Reply from 10.66.1.100: bytes=32 time=2ms TTL=61 Reply from 10.1.62.1: Destination host unreachable. Reply from 10.66.1.100: bytes=32 time=1ms TTL=61 Reply from 10.1.62.1: Destination host unreachable. -
Got it.
Added a static route of 10.66.1.0/24 192.168.62.1 eth3 and life is good.
-
The tracert is interesting. The server that I thought was across a site to site VPN is more likely in the building due to the ping times:
Tracing route to 10.66.1.100 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 10.1.62.1 2 1 ms 2 ms 1 ms 192.168.62.1 3 2 ms 2 ms 1 ms 192.168.180.2 4 2 ms 2 ms 1 ms 10.66.1.100 Trace complete. -
@mike-davis said in EdgeRouter routing:
@mike-davis said in EdgeRouter routing:
Since 10.1.62.x is NATed behind the ER how would the other networks know about it?
Wouldn't they only need to get back to 192.168.62.20 ?I think that partially answers my question. I'm not NATing eth3 yet....
LOL that was going to be my next question - are you actually NATing?
-
@mike-davis said in EdgeRouter routing:
The tracert is interesting. The server that I thought was across a site to site VPN is more likely in the building due to the ping times:
Tracing route to 10.66.1.100 over a maximum of 30 hops 1 <1 ms <1 ms <1 ms 10.1.62.1 2 1 ms 2 ms 1 ms 192.168.62.1 3 2 ms 2 ms 1 ms 192.168.180.2 4 2 ms 2 ms 1 ms 10.66.1.100 Trace complete.Gotta love finding equipment you didn't know was on-site... kinda. documentation
-
@travisdh1 said in EdgeRouter routing:
Gotta love finding equipment you didn't know was on-site...
I once found a 48 port switch bolted to the top of a partition wall up above a ceiling. If I can find a picture, I'll start a new thread.
As a consultant, it's getting harder and harder to surprise me and I don't really trust what users say about how they think things work anymore.
-
@mike-davis said in EdgeRouter routing:
@travisdh1 said in EdgeRouter routing:
Gotta love finding equipment you didn't know was on-site...
I once found a 48 port switch bolted to the top of a partition wall up above a ceiling. If I can find a picture, I'll start a new thread.
As a consultant, it's getting harder and harder to surprise me and I don't really trust what users say about how they think things work anymore.
I don't believe it. There had to be a leaky water pipe involved somewhere as well!
