Solved EdgeRouter routing
-
I have a client with an EdgeRouter and they want to have their own internet connection, but still be able to connect to another LAN (we'll call it Corp LAN) in the building that has a site to site connection to a server they need to access. Internet connection is working fine. When ever I put a patch cable in to Eth3 to connect to the Corp LAN, it kills the ER LAN clients. In troubleshooting I noticed that the ER creates a route out of both interfaces and won't let me edit them. I want to create a static route so that only the traffic destined for the one server goes out Eth3.
-
Don’t pull dhcp on eth3
-
@jaredbusch said in EdgeRouter routing:
Don’t pull dhcp on eth3
Thanks @JaredBusch that let me plug it in without locking up the network. I added the routes below and still can't connect. When I do a tracert from a windows machine, it shows my first hop is 10.1.62.1, so it doesn't appear to be using the ETH3 interface.
-
You will likely have to add a route from the CorpLan back to your EdgeRouter as well.
-
@dafyre said in EdgeRouter routing:
You will likely have to add a route from the CorpLan back to your EdgeRouter as well.
I should probably explain the backstory. The client contacted us and said they wanted to disconnect from the Corp LAN and run on their own network. They ordered up their own internet connection and we came in with a bunch of Ubiquiti gear and cut them over. A day later they told us that one app didn't work anymore. We looked at the app and it was connecting to 10.66.1.100 so we figured that on their old network they must have had a site to site VPN running. That's when we got the idea to just connect back in to the corp LAN with ETH3 on our router as if it was just one of the computers. Seems like if a computer on that subnet could reach the server, the router could. Does that make sense?
-
@mike-davis said in EdgeRouter routing:
@dafyre said in EdgeRouter routing:
You will likely have to add a route from the CorpLan back to your EdgeRouter as well.
I should probably explain the backstory. The client contacted us and said they wanted to disconnect from the Corp LAN and run on their own network. They ordered up their own internet connection and we came in with a bunch of Ubiquiti gear and cut them over. A day later they told us that one app didn't work anymore. We looked at the app and it was connecting to 10.66.1.100 so we figured that on their old network they must have had a site to site VPN running. That's when we got the idea to just connect back in to the corp LAN with ETH3 on our router as if it was just one of the computers. Seems like if a computer on that subnet could reach the server, the router could. Does that make sense?
Vaguely... diagram would be helpful as my brain has shut down on me already.
-
The corporate router needs a route that points all traffic for 10.1.62.0/24 to the IP of eth3 on the ERL.
Otherwise it will send that traffic out its default gateway.
-
Also, you look to have multiple weird networks going on here.
10.1.62.0/24 is your LAN.
What is 10.66.1.0/24 and 192.168.62.0/24?
I think that 192.168.62.0/24 is the actual corporate LAN?
Then WTF is 10.66.1.0/24?
-
@mike-davis said in EdgeRouter routing:
a to just connect back in to the corp LAN with ETH3 on our router as if it was just one of the computers. Seems like if a comput
Also, if there are any more routers on the other side of the VPN tunnel, they will need routes to know how to get back to your internal network as well.
Do you not have an option for setting up a VPN connection to this 10.66.1.100 device from within the new network?
-
Thanks for the suggestions. Let me whip up a diagram.
-
Here is basically what the old configuration looked like:
-
This is what I have now:
-
Basically I plugged the Edge router in where the computer was plugged in and statically assigned the IP address to Eth3 on the ER. The cisco router that Corp supplied must have a site to site VPN running since 10.66.1.100 is a private address.
-
@mike-davis said in EdgeRouter routing:
Basically I plugged the Edge router in where the computer was plugged in and statically assigned the IP address to Eth3 on the ER. The cisco router that Corp supplied must have a site to site VPN running since 10.66.1.100 is a private address.
This is not how any of this works.
-
@dashrender said in EdgeRouter routing:
Do you not have an option for setting up a VPN connection to this 10.66.1.100 device from within the new network?
Probably could, but the way it was Corp was connecting in and messing with their machines so they don't want to have a wide open connection.
-
@mike-davis said in EdgeRouter routing:
@dashrender said in EdgeRouter routing:
Do you not have an option for setting up a VPN connection to this 10.66.1.100 device from within the new network?
Probably could, but the way it was Corp was connecting in and messing with their machines so they don't want to have a wide open connection.
You setup a rule in the ERL to only allow connectivity to/from the IP of the specific server that you need access to.
-
@mike-davis said in EdgeRouter routing:
@dashrender said in EdgeRouter routing:
Do you not have an option for setting up a VPN connection to this 10.66.1.100 device from within the new network?
Probably could, but the way it was Corp was connecting in and messing with their machines so they don't want to have a wide open connection.
Unless this is legally an entire separate entity, corporate SHOULD be doing that.
-
From your diagram, it's likely that server 10.66.1.100 has no idea how to get back to 10.1.62.20. You need to give it a route to Corp Cisco router for network/node 10.1.62.20 and the corp cisco router needs a route also to network/node 10.1.62.20.
-
@jaredbusch said in EdgeRouter routing:
Unless this is legally an entire separate entity, corporate SHOULD be doing that.
It's a Dr has her own practice, but consults for them. Other specialists in the building are owned by corporate, so when it came to connectivity, they just plugged her in to their LAN. It made it easy to connect to their server, but other things are a real pain because they don't own her equipment etc.
-
@dashrender said in EdgeRouter routing:
From your diagram, it's likely that server 10.66.1.100 has no idea how to get back to 10.1.62.20. You need to give it a route to Corp Cisco router for network/node 10.1.62.20 and the corp cisco router needs a route also to network/node 10.1.62.20.
When the laptop is plugged in where the ER is, it has no problem connecting.
