EdgeRouter routing



  • I have a client with an EdgeRouter and they want to have their own internet connection, but still be able to connect to another LAN (we'll call it Corp LAN) in the building that has a site to site connection to a server they need to access. Internet connection is working fine. When ever I put a patch cable in to Eth3 to connect to the Corp LAN, it kills the ER LAN clients. In troubleshooting I noticed that the ER creates a route out of both interfaces and won't let me edit them. I want to create a static route so that only the traffic destined for the one server goes out Eth3.
    0_1509467306273_ER-LANEth3.png



  • Don’t pull dhcp on eth3



  • @jaredbusch said in EdgeRouter routing:

    Don’t pull dhcp on eth3

    Thanks @JaredBusch that let me plug it in without locking up the network. I added the routes below and still can't connect. When I do a tracert from a windows machine, it shows my first hop is 10.1.62.1, so it doesn't appear to be using the ETH3 interface.

    0_1509473679128_route.png



  • You will likely have to add a route from the CorpLan back to your EdgeRouter as well.



  • @dafyre said in EdgeRouter routing:

    You will likely have to add a route from the CorpLan back to your EdgeRouter as well.

    I should probably explain the backstory. The client contacted us and said they wanted to disconnect from the Corp LAN and run on their own network. They ordered up their own internet connection and we came in with a bunch of Ubiquiti gear and cut them over. A day later they told us that one app didn't work anymore. We looked at the app and it was connecting to 10.66.1.100 so we figured that on their old network they must have had a site to site VPN running. That's when we got the idea to just connect back in to the corp LAN with ETH3 on our router as if it was just one of the computers. Seems like if a computer on that subnet could reach the server, the router could. Does that make sense?



  • @mike-davis said in EdgeRouter routing:

    @dafyre said in EdgeRouter routing:

    You will likely have to add a route from the CorpLan back to your EdgeRouter as well.

    I should probably explain the backstory. The client contacted us and said they wanted to disconnect from the Corp LAN and run on their own network. They ordered up their own internet connection and we came in with a bunch of Ubiquiti gear and cut them over. A day later they told us that one app didn't work anymore. We looked at the app and it was connecting to 10.66.1.100 so we figured that on their old network they must have had a site to site VPN running. That's when we got the idea to just connect back in to the corp LAN with ETH3 on our router as if it was just one of the computers. Seems like if a computer on that subnet could reach the server, the router could. Does that make sense?

    Vaguely... diagram would be helpful as my brain has shut down on me already.



  • The corporate router needs a route that points all traffic for 10.1.62.0/24 to the IP of eth3 on the ERL.

    Otherwise it will send that traffic out its default gateway.



  • Also, you look to have multiple weird networks going on here.

    10.1.62.0/24 is your LAN.

    What is 10.66.1.0/24 and 192.168.62.0/24?

    I think that 192.168.62.0/24 is the actual corporate LAN?

    Then WTF is 10.66.1.0/24?



  • @mike-davis said in EdgeRouter routing:

    a to just connect back in to the corp LAN with ETH3 on our router as if it was just one of the computers. Seems like if a comput

    Also, if there are any more routers on the other side of the VPN tunnel, they will need routes to know how to get back to your internal network as well.

    Do you not have an option for setting up a VPN connection to this 10.66.1.100 device from within the new network?



  • Thanks for the suggestions. Let me whip up a diagram.



  • Here is basically what the old configuration looked like:
    0_1509481966409_Audio-old.png



  • This is what I have now:0_1509482524109_Audio-new.png



  • Basically I plugged the Edge router in where the computer was plugged in and statically assigned the IP address to Eth3 on the ER. The cisco router that Corp supplied must have a site to site VPN running since 10.66.1.100 is a private address.



  • @mike-davis said in EdgeRouter routing:

    Basically I plugged the Edge router in where the computer was plugged in and statically assigned the IP address to Eth3 on the ER. The cisco router that Corp supplied must have a site to site VPN running since 10.66.1.100 is a private address.

    This is not how any of this works.



  • @dashrender said in EdgeRouter routing:

    Do you not have an option for setting up a VPN connection to this 10.66.1.100 device from within the new network?

    Probably could, but the way it was Corp was connecting in and messing with their machines so they don't want to have a wide open connection.



  • @mike-davis said in EdgeRouter routing:

    @dashrender said in EdgeRouter routing:

    Do you not have an option for setting up a VPN connection to this 10.66.1.100 device from within the new network?

    Probably could, but the way it was Corp was connecting in and messing with their machines so they don't want to have a wide open connection.

    You setup a rule in the ERL to only allow connectivity to/from the IP of the specific server that you need access to.



  • @mike-davis said in EdgeRouter routing:

    @dashrender said in EdgeRouter routing:

    Do you not have an option for setting up a VPN connection to this 10.66.1.100 device from within the new network?

    Probably could, but the way it was Corp was connecting in and messing with their machines so they don't want to have a wide open connection.

    Unless this is legally an entire separate entity, corporate SHOULD be doing that.



  • From your diagram, it's likely that server 10.66.1.100 has no idea how to get back to 10.1.62.20. You need to give it a route to Corp Cisco router for network/node 10.1.62.20 and the corp cisco router needs a route also to network/node 10.1.62.20.



  • @jaredbusch said in EdgeRouter routing:

    Unless this is legally an entire separate entity, corporate SHOULD be doing that.

    It's a Dr has her own practice, but consults for them. Other specialists in the building are owned by corporate, so when it came to connectivity, they just plugged her in to their LAN. It made it easy to connect to their server, but other things are a real pain because they don't own her equipment etc.



  • @dashrender said in EdgeRouter routing:

    From your diagram, it's likely that server 10.66.1.100 has no idea how to get back to 10.1.62.20. You need to give it a route to Corp Cisco router for network/node 10.1.62.20 and the corp cisco router needs a route also to network/node 10.1.62.20.

    When the laptop is plugged in where the ER is, it has no problem connecting.



  • @mike-davis said in EdgeRouter routing:

    @dashrender said in EdgeRouter routing:

    From your diagram, it's likely that server 10.66.1.100 has no idea how to get back to 10.1.62.20. You need to give it a route to Corp Cisco router for network/node 10.1.62.20 and the corp cisco router needs a route also to network/node 10.1.62.20.

    When the laptop is plugged in where the ER is, it has no problem connecting.

    Sure, because that new network you created behind the EdgeRouter isn't in the middle, but you've introduced a new network behind another network. So the far side (10.66.1.100) has no idea that the 10.1.62.1 network exists, so it doesn't know how to get there. The same is true of the Cisco Router. it's unaware that you've put a new network in place behind the 192.168.61.1 network (again, namely the 10.1.62.20 network).

    https://i.imgur.com/4BLJbGw.png



  • @dashrender

    Since 10.1.62.x is NATed behind the ER how would the other networks know about it?
    Wouldn't they only need to get back to 192.168.62.20 ?



  • @mike-davis said in EdgeRouter routing:

    Since 10.1.62.x is NATed behind the ER how would the other networks know about it?
    Wouldn't they only need to get back to 192.168.62.20 ?

    I think that partially answers my question. I'm not NATing eth3 yet....



  • creating a masq for eth3 automatically created a static route for 192.168.62.0/24, and then I added a couple of more routes, but something isn't right because my ping from the windows box looks like this:

    Reply from 10.1.62.1: Destination host unreachable.
    Reply from 10.1.62.1: Destination host unreachable.
    Reply from 10.1.62.1: Destination host unreachable.
    Reply from 10.66.1.100: bytes=32 time=1ms TTL=61
    Reply from 10.66.1.100: bytes=32 time=2ms TTL=61
    Reply from 10.66.1.100: bytes=32 time=2ms TTL=61
    Reply from 10.66.1.100: bytes=32 time=2ms TTL=61
    Reply from 10.66.1.100: bytes=32 time=1ms TTL=61
    Reply from 10.66.1.100: bytes=32 time=2ms TTL=61
    Reply from 10.1.62.1: Destination host unreachable.
    Reply from 10.66.1.100: bytes=32 time=1ms TTL=61
    Reply from 10.66.1.100: bytes=32 time=2ms TTL=61
    Reply from 10.1.62.1: Destination host unreachable.
    Reply from 10.66.1.100: bytes=32 time=1ms TTL=61
    Request timed out.
    Reply from 10.66.1.100: bytes=32 time=1ms TTL=61
    Reply from 10.1.62.1: Destination host unreachable.
    Reply from 10.66.1.100: bytes=32 time=1ms TTL=61
    Reply from 10.66.1.100: bytes=32 time=2ms TTL=61
    Reply from 10.1.62.1: Destination host unreachable.
    Reply from 10.1.62.1: Destination host unreachable.
    Reply from 10.1.62.1: Destination host unreachable.
    Reply from 10.66.1.100: bytes=32 time=2ms TTL=61
    Reply from 10.1.62.1: Destination host unreachable.
    Reply from 10.66.1.100: bytes=32 time=1ms TTL=61
    Reply from 10.1.62.1: Destination host unreachable.
    


  • Got it. 🙂

    Added a static route of 10.66.1.0/24 192.168.62.1 eth3 and life is good.



  • The tracert is interesting. The server that I thought was across a site to site VPN is more likely in the building due to the ping times:

    Tracing route to 10.66.1.100 over a maximum of 30 hops
    
      1    <1 ms    <1 ms    <1 ms  10.1.62.1
      2     1 ms     2 ms     1 ms  192.168.62.1
      3     2 ms     2 ms     1 ms  192.168.180.2
      4     2 ms     2 ms     1 ms  10.66.1.100
    
    Trace complete.
    


  • @mike-davis said in EdgeRouter routing:

    @mike-davis said in EdgeRouter routing:

    Since 10.1.62.x is NATed behind the ER how would the other networks know about it?
    Wouldn't they only need to get back to 192.168.62.20 ?

    I think that partially answers my question. I'm not NATing eth3 yet....

    LOL that was going to be my next question - are you actually NATing?



  • @mike-davis said in EdgeRouter routing:

    The tracert is interesting. The server that I thought was across a site to site VPN is more likely in the building due to the ping times:

    Tracing route to 10.66.1.100 over a maximum of 30 hops
    
      1    <1 ms    <1 ms    <1 ms  10.1.62.1
      2     1 ms     2 ms     1 ms  192.168.62.1
      3     2 ms     2 ms     1 ms  192.168.180.2
      4     2 ms     2 ms     1 ms  10.66.1.100
    
    Trace complete.
    

    Gotta love finding equipment you didn't know was on-site... kinda. documentation



  • @travisdh1 said in EdgeRouter routing:

    Gotta love finding equipment you didn't know was on-site...

    I once found a 48 port switch bolted to the top of a partition wall up above a ceiling. If I can find a picture, I'll start a new thread.

    As a consultant, it's getting harder and harder to surprise me and I don't really trust what users say about how they think things work anymore.



  • @mike-davis said in EdgeRouter routing:

    @travisdh1 said in EdgeRouter routing:

    Gotta love finding equipment you didn't know was on-site...

    I once found a 48 port switch bolted to the top of a partition wall up above a ceiling. If I can find a picture, I'll start a new thread.

    As a consultant, it's getting harder and harder to surprise me and I don't really trust what users say about how they think things work anymore.

    I don't believe it. There had to be a leaky water pipe involved somewhere as well! 😉


Log in to reply