centos 7 as a router?

[bryan1]

I have a box running Centos 7 with 8 network cards in it.

How would you make it be a router in the following network topology?

[singh_ravinder123]

use this if you are not using any routing protocol (I mean for static route entries)

#route
#man route

[jlehtone]

How would you make it be a router in the following network topology?

Is that a list of physical connections? What is the logical topology that has to be achieved?

[bryan1]

That

How would you make it be a router in the following network topology?

Is that a list of physical connections? What is the logical topology that has to be achieved?

Physical Connections.

I was planning to get a layer 3 switch but was told I need to purchase a router.

logical diagram

diagram b.png (241.04 KiB) Viewed 2515 times

I need to change the physical topology the current design to make the 2 Routers that are connected to the firewall move up to be on the same level.

Current Network Diagram

Current Design.png (170.48 KiB) Viewed 2515 times

[jlehtone]

Lets see if I read those right:

* There is a subnet in the "office". I call it OffLAN.

* There is/are datacenter subnet(s). HPClan. (Assuming routed link. One could extend OffLAN to datacenter via bridged MPLS.)

* There is external Tech Support group with their TSlan subnet.

* The OffLAN has two physical links out: ISP and Verizon. The ISP links to INET (internet) and the Verizon MPLS is assumed to be "trusted/dedicated/private".

* The OffLAN has third, logical, link out: VPN to TSlan.

* Devices of OffLAN are connected by switch(es) (and wireless access points, AP).


In the most compact case only one of the members of OffLAN acts as a router. The device has three connected wires: to OffLAN, to ISP modem, and to Verizon. The device supports MPLS, acts as a VPN (server?) endpoint, and has firewall rules for each interface. Life is simple in the OffLAN; there is only one gateway to all other subnets.

I don't know Verizon, but I bet that MPLS will never be implemented in "one and only" router. I assume that they provide/own/admin discreet MPLS router. (RVer)

That would make two routers connected to the internal switch of the OffLAN, your and RVer. OffLAN and HPClan communicate via the RVer.


The wire from ISP modem has the part of INET that we usually call WAN. You say that WAN ends to Firewall-Pri and OffLAN has RouterX at its "front door". What is between RouterX and Firewall-Pri? A different subnet?

[bryan1]

Lets see if I read those right:

* There is a subnet in the "office". I call it OffLAN.

* There is/are datacenter subnet(s). HPClan. (Assuming routed link. One could extend OffLAN to datacenter via bridged MPLS.)

* There is external Tech Support group with their TSlan subnet.

* The OffLAN has two physical links out: ISP and Verizon. The ISP links to INET (internet) and the Verizon MPLS is assumed to be "trusted/dedicated/private".

The ISP links to INET (internet) and the Verizon MPLS is it the "trusted/dedicated/private". One Router created a tunnel to this "trusted/dedicated/private" A layer 3 device must use the IP Address of the Virtual Router as the gateway. The MPLS and Internet are combined as 1 in the logical topolgoy.

* The OffLAN has third, logical, link out: VPN to TSlan. True, TSlan uses VPN Route to OffLAN as primary connection to HPClan, TSlan has a backup router in HPClan if the router at OffLAN fails.

* Devices of OffLAN are connected by switch(es) (and wireless access points, AP). Yes

In the most compact case only one of the members of OffLAN acts as a router. The device has three connected wires: to OffLAN, to ISP modem, and to Verizon. The device supports MPLS, acts as a VPN (server?) endpoint, and has firewall rules for each interface. Life is simple in the OffLAN; there is only one gateway to all other subnets.

I don't know Verizon, but I bet that MPLS will never be implemented in "one and only" router. I assume that they provide/own/admin discreet MPLS router. (RVer) MPLS goes into R1 Router to its WAN interface and the LAN interface connected to OffLAN. R1 forwards ip to virtual router HSRP.

If MPLS failes, logically the connection to HPClan will stay up with another Router using Internet with VPN tunnels also forwarding traffic to the same virtual router HSRP. layer 3 route uses virutal HSRP as the gateway for OffLAN to reach HPClan

That would make two routers connected to the internal switch of the OffLAN, your and RVer. OffLAN and HPClan communicate via the RVer. In the physical topology the router for the MPLS is behind the firewall connected to a switch This is different Router a third router that is primary connection from OffLAN to HPClan


The wire from ISP modem has the part of INET that we usually call WAN. You say that WAN ends to Firewall-Pri and OffLAN has RouterX at its "front door". What is between RouterX and Firewall-Pri? A different subnet?

Currently Layer 3 Splice transparent mode (backup route from OffLAN to HPClan) Router to TSLan from OffLAN is also transparent layer 3 splice.

network.png (225.91 KiB) Viewed 2485 times

[jlehtone]

OK. Lets forget HA redundancy for a moment still.

Your pictures have a firewall and a router between ISP WAN and OffLAN.
Two side-by-side routes. Why?

Why does the INET has a choice to try access OffLAN either via RTR or Firewall?


On consumer setups the outer firewall is in the router device. Outsider has to get through the firewall in order to reach the router and through router to reach the OffLAN. Not either-or. There would be no reason to bolt the door, if all windows are wide open.


You presumably have "hardware firewall" devices. I'm not familiar with those, but in principle a firewall can be either a router or a bridge.

If your firewall is a router, then you have firewalled router and "plain" router side-by-side and traffic can use either. That is how I see your topologies.

If the firewall is a bridge, then WAN and OffLAN are not separate subnets, OffLAN has public IP addresses, and having those plain RTR's makes no sense (apart from acting as VPN tunnel endpoints).

Note: AFAIK, the main marketing point on devices sold to consumers as "firewalls" rather than "routers" seems to be that they provide VPN tunnel endpoint, while consumer "routers" are too weak for multiple VPN tunnels and focus on wireless AP (which has nothing to do with routing).


Now the HA. The ISP modem is a single point of failure. By the "active/passive" in firewalls I take that there is one logical connection between the modem and "a firewall". Somehow, only one of the firewall devices is "the firewall" at any given time.


Your original question was about a device that you have to purchase. Which part of the topologies is that? In other words, what do you have now and what should you have "yesterday"?

[bryan1]

OK. Lets forget HA redundancy for a moment still.

Your pictures have a firewall and a router between ISP WAN and OffLAN.

Two side-by-side routes. Why?

First route is the normal consumer setup...OffLAN to Internet , VPN from anywhere except for TsLAN or HPClan...etc.

The second route is custom Internet based LAN to LAN VPN service the TsLAN uses to support all their software platforms (which includes servers in the datacenter) The network architecture is designed around Cisco's Integrated Services Routing and firewall technology in conjunction with network address translation standards to avoid I.P. network overlaps with OffLAN

Why does the INET has a choice to try access OffLAN either via RTR or Firewall? There is not a choice here...different subnets doing same thing for different purposes to avoid ip overlapping while both have need to reach INET

You presumably have "hardware firewall" devices. I'm not familiar with those, but in principle a firewall can be either a router or a bridge.

They are Hardware Firewalls.

If your firewall is a router, then you have firewalled router and "plain" router side-by-side and traffic can use either. That is how I see your topologies.

Looks that way but permitted traffic is defined to only use one not both to reach INET. I want to physically separate the 2 routes so the second route will no depend on the the primary/active firewall"

If the firewall is a bridge, then WAN and OffLAN are not separate subnets, OffLAN has public IP addresses, and having those plain RTR's makes no sense (apart from acting as VPN tunnel endpoints).

Firewall is the gateway, all the routers dealing with the HpcLAN is using the same servers on different subnets avoiding ip overlapping to achieve the logical purposes for their existence.

Note: AFAIK, the main marketing point on devices sold to consumers as "firewalls" rather than "routers" seems to be that they provide VPN tunnel endpoint, while consumer "routers" are too weak for multiple VPN tunnels and focus on wireless AP (which has nothing to do with routing).

The 2 Firewalls and the 2 Routers were suppose to connect to a layer 2 switch but the Internet Modem only supports layer 3 technology. A vendor told me I will need another router and that a layer 3 switch wouldn't work.

Currently the Firewall has my public ip of OffLan, the other 2 router have a ip address in the same subnet...but they use the IP address of the firewall as the gateway to the internet...

Now the HA. The ISP modem is a single point of failure. By the "active/passive" in firewalls I take that there is one logical connection between the modem and "a firewall". Somehow, only one of the firewall devices is "the firewall" at any given time.

yes and I am trying to add another point of failure between the ISP Modem and my OffLAN to make the logical connection between the modem and the firewall stay up if the physical connection fails from the primary firewall.

Your original question was about a device that you have to purchase. Which part of the topologies is that? In other words, what do you have now and what should you have "yesterday"?

What I have now it (physical topology]----> ISP Modem -> Firewall -> the 2 routers & Offlan

what I want to do is change physical toplogy to ---> ISP Modem -> [new switch/router] -> 2 firewalls & 2 routers -> OffLAN (4 devices with WAN physical connection to [new switch/router] to reach INET with LAN physical connections to the OffLAN Switch)

The logical topology will stay the same with OffLAN being the default LAN, HpcLAN has servers logically on the LAN , TsLAN connects to HpcLAN

90 percent of HpcLAN's customers do not have my current physical topology...they have their networks physically connected with their routers not physically connected to one firewall.

[jlehtone]

They are Hardware Firewalls.

Google "HA firewall". You should find active/backup fw tutorials for Ubuntu, Sophos, and some "hardware" brands. In most the two firewalls monitor each other and when the active goes down, the backup activates. Not only that, but it takes over the IP addresses used by the former active device. For the outside, only one public IP is in use. For the inside, only one IP is in use. (They might have additional, unique addresses in the inside for the monitoring, if they don't have separate link.)

There ought to be similar instructions for your brand. That is what you did pay for, didn't you?

What I have now it (physical topology]----> ISP Modem -> Firewall

The 2 Firewalls and the 2 Routers were suppose to connect to a layer 2 switch but the Internet Modem only supports layer 3 technology. A vendor told me I will need another router and that a layer 3 switch wouldn't work.

"Modem only supports layer 3 technology"? I don't believe that unless I see it.

You have a patch cable between the modem and the active firewall. If that works, then modem---L2 switch---firewall should work too.

If the firewalls can be set up to do the active/backup, then modem and both firewalls (WAN port) can be connected to the same L2 switch. The modem will think that it is talking to one device only (that has your "public ip of OffLan"). (Unless the modem/ISP enforces a MAC filter that accepts exacly one registered MAC-address from you.)

Firewall is the gateway, all the routers dealing with the HpcLAN is using the same servers on different subnets avoiding ip overlapping to achieve the logical purposes for their existence.

If there are separate subnets, then they should be shown in topology as separate. If they are connected to same L3 switch that has been segmented into VLANs, then topology should show separate switch for each subnet.

Currently the Firewall has my public ip of OffLan, the other 2 router have a ip address in the same subnet...but they use the IP address of the firewall as the gateway to the internet

"in the same subnet"? Which subnet? The WAN or the OffLAN?

"use the IP address of the firewall as the gateway"? Which address? The firewall has public address on its "WAN" port and private(?) address in its "OffLAN" port.

A router has at least two addresses, because it is connected to at least two subnets.

This is what I would do:

Code: Select all

modem -- L2 switch -- [WAN-IP firewall(s) OffLAN-IP] -- switch -- all members of OffLAN, including the "VPN routers"

* The VPN endpoints (that do route) have just one physical link and IP, to OffLAN. The other address(es) of these routers are VPNs.
* The firewall is configured to port forward VPN from outside into the VPN endpoints. Since you have two endpoints, they must use different ports (on WAN-IP of firewall).
* If the OFFLAN is more than one subnets, then the inside switch is either L3 with VLANs, or each subnet has separate physical switch. The firewall is the main router for everyone.


Disclaimer: I might be wrong.

[bryan1]

They are Hardware Firewalls.

Google "HA firewall". You should find active/backup fw tutorials for Ubuntu, Sophos, and some "hardware" brands. In most the two firewalls monitor each other and when the active goes down, the backup activates. Not only that, but it takes over the IP addresses used by the former active device. For the outside, only one public IP is in use. For the inside, only one IP is in use. (They might have additional, unique addresses in the inside for the monitoring, if they don't have separate link.)

There ought to be similar instructions for your brand. That is what you did pay for, didn't you?

Code: Select all

My bad, I just realized you meant high availability no hardware firewalls.  I already have that configured and working

What I have now it (physical topology]----> ISP Modem -> Firewall

The 2 Firewalls and the 2 Routers were suppose to connect to a layer 2 switch but the Internet Modem only supports layer 3 technology. A vendor told me I will need another router and that a layer 3 switch wouldn't work.

"Modem only supports layer 3 technology"? I don't believe that unless I see it.

Code: Select all

Now I realized I was referring to a logical topology worksheet they left me , In the ISP's physical topology they have fiber coming into the building to my first telephone closest that is connected in what I assume is a layer 2 device... then they installed a Cisco 3945E router that is what I have to use as the gateway to the internet,

You have a patch cable between the modem and the active firewall. If that works, then modem---L2 switch---firewall should work too.

Code: Select all

I tested a layer 2 switch and I couldn't reach the internet with it in the topology.  The AT&T 3945E Router is configured where I have 30 public ip addresses.

If the firewalls can be set up to do the active/backup, then modem and both firewalls (WAN port) can be connected to the same L2 switch. The modem will think that it is talking to one device only (that has your "public ip of OffLan"). (Unless the modem/ISP enforces a MAC filter that accepts exacly one registered MAC-address from you.)

Firewall is the gateway, all the routers dealing with the HpcLAN is using the same servers on different subnets avoiding ip overlapping to achieve the logical purposes for their existence.

If there are separate subnets, then they should be shown in topology as separate. If they are connected to same L3 switch that has been segmented into VLANs, then topology should show separate switch for each subnet.

Code: Select all

My bad trying to put each subnet down on the diagram makes me head want to explode...those routers have like 20 subnets but after studying them all I need is a configure a layer 3 router to use the HSRP router as the gateway to reach 4 subnets.

Currently the Firewall has my public ip of OffLan, the other 2 router have a ip address in the same subnet...but they use the IP address of the firewall as the gateway to the internet

"in the same subnet"? Which subnet? The WAN or the OffLAN?

Each Router has its own wan ip address from the AT&T Router. Ignoring all the mind blowing NATs for now they use the firewall as the gateway to the internet while the firewall uses the AT&T as the gateway.

"use the IP address of the firewall as the gateway"? Which address? The firewall has public address on its "WAN" port and private(?) address in its "OffLAN" port.

The routers have their own public address on its "WAN" port and a private address in the OffLAN port. I scratched my head for a year trying to get this to make sense to me.

A router has at least two addresses, because it is connected to at least two subnets.

Code: Select all

Right,  The Routers and the Firewall have a public static ip address.  The firewall has a public dns record configured but the routers do not.

This is what I would do:

Code: Select all

modem -- L2 switch -- [WAN-IP firewall(s) OffLAN-IP] -- switch -- all members of OffLAN, including the "VPN routers"

* The VPN endpoints (that do route) have just one physical link and IP, to OffLAN. The other address(es) of these routers are VPNs.
* The firewall is configured to port forward VPN from outside into the VPN endpoints. Since you have two endpoints, they must use different ports (on WAN-IP of firewall).
* If the OFFLAN is more than one subnets, then the inside switch is either L3 with VLANs, or each subnet has separate physical switch. The firewall is the main router for everyone.

Now I know I should have put the actual modem in the diagram sorry I forgot about it

What I have right now is

ISP Modem -- ISP Router -- WAN IP Firewall with the Router WAN ports connected behind it transparent layer 3 splice-- switch --all members of the OffLAN

What I want to achieve is

ISP Modem -- ISP Router --[layer 3 router or switch] hosting the WAN IPs for the Firewalls and Routers --Switch (with Routers LAN ports connected

current and want to change to.png (241 KiB) Viewed 2431 times

Disclaimer: I might be wrong.

Code: Select all

I need to create a signature and put this Disclaimer in it.

actually this is the physical topolgoy right now ...

current diagram.png (140.49 KiB) Viewed 2431 times