Connecting two internal networks to internet via cable modem

  • Thread starter Thread starter sdarisi
  • Start date Start date
S

sdarisi

I need assistance in figuring the following network connectivity
problem.

Configuration Info:
Internet <==>Cable Modem/Router<==>Symantec 300 F/W<==>Dell Switch<==>
Desktop PCs/Server (Network 1)

Also connected directly to the Cable Modem/Router is a DLink Wireless
Router which is accessed by another independent group of computer
users, all wireless users. (Network 2) (Network 2 is a new addition as
of today)

The Ambit Cable Modem/Router from Charter has one cable connection port
(for inbound cable) and four Ethernet ports in the back. The DLink
Wireless Router and the Symantec firewall appliance are connected to
two of the four Ethernet ports.

Cable Modem service is from Charter with a static IP.

Network 1 (desktops) is an internal network with IP in the
192.168.0.xxx range and an internal gateway of 192.168.0.4 with DHCP
services provided by the Symantec Firewall appliance (192.168.0.4)

Network 2 (wireless) is an internal network with IP in the
192.168.1.xxx range and internal gateway of 192.168.1.4 with DHCP
services provided by the DLink Wireless router (192.168.1.4)

Network 1 does not need to see anyone on Network 2 nor access any
resources on Network 2. The reverse is also true.


Problem:
Internet connectivity is sporadic to rare on both networks when they
are both connected to the cable modem. If the D-Link router (and thus
the entire Network 2) is disconnected from the cable modem, the desktop
network works fine. If the Symantec firewall is disconnected from the
Cable modem (and thus the entire Network 1), the wireless network is
better. When both are connected, internet connection for the wireless
users as well as the desktop users is limited to rare. Interestingly, I
can ping the Static IP address provided by Charter from both internal
networks without any lost packets when both networks are connected to
the Cable modem. I can also connect to internal interface for the DLink
router and the Symantec firewall without any problems. I can ping the
internal gateway addresses on each network without any problems. I can
also tracert to the static IP from both networks when they are both
connected to the Cable modem (although tracert is slow and has a few to
many timeout requests).

I would appreciate any suggestions/ideas on what might be the cause of
poor connectivity and how it can be fixed. I am wondering if the Cable
modem is performing some type of routing between the two networks as
evidenced by the slow tracert/timeouts. I will add that Charter tech
support remotely connected to the modem and advised that no routing is
being performed on the Cable modem..

Thanks in advance for the help.

Cheers
Subbarayudu
 
I reviewed your config. It's pretty difficult to fully understand someone
else's config based on a few paragraphs, so bear w/ me initially as I try to
clarify a few items.

One thing that strikes me about this config (and scares me) is the
preponderance of routers, switches, DHCP servers, etc. It may be perfectly
fine, BUT, I always have a gut level reaction to any config I review, I look
for unnecessary complexities, potential troublemakers, etc. As soon as I
saw this redundancy of equipment, the red flags went up. Again, it may be
fine, but I'm already suspicious.

Let's consider the Ambit Cable Modem Router. You said the Symantec Gateway
300 F/W and D-Link wireless router are providing DHCP services to their
respective subnets. Am I then to assume the Ambit Cable Modem/Router has
DHCP, NAT, firewall, etc., disabled?? IOW, since you've placed these
responsibilities upstream, I have to assume this is the case, because if you
haven't, that's already a bad sign.

In most instances, I strongly recommend using ONE DHCP server, NAT,
firewall, iow, ONE network. Subnets can work, but for the home or small
office, they can unnecessarily complicate configuration and maintenance. It
also problematic. Consider the fact that your Ambit Cable Modem Router
includes a switch, from which each subnet is connected (for the purposes of
sharing the ISP connection). Sounds fine until you realize that EACH subnet
potential has access to the other's DHCP server! Whenever two subnets are
sharing the same physical network, you want to avoid the possibility of
multiple DHCP servers because the DHCP protocol is based on a first come,
first served basis. IOW, as you've defined this configuration, I see no
reason that the wireless clients couldn't just as likely end up talking to
the DHCP server on the desktop/server subnet, and vice-versa. Whichever
DHCP server responds first is the one that ends up configuring a given
client. You have NO GUARANTEE that any specific DHCP server will respond
when there is more than one on a given physical network!

So think about the possibilities here. Lets say a client on the wireless
side ends up getting a DHCP assignment from the desktop/server side. That
client may have proper Internet access, BUT, attempts to communicate with
clients on the wireless side may fail if those other wireless clients end up
being configured by the D-Link DHCP server (they have different subnets!).
As leases expires and are reaquired, the same client may end up acquiring
from the (what you perceive as) "correct" DHCP server, and now
communications returns among its peers. And back and forth it goes, so
sometimes the client can communicate w/ its peers, sometimes not, just
depends on which DHCP happened to configure it on the last DHCP request.

Of course, I'm speculating here, this is all based on a few paragraphs in a
NG post. But unless you can convince me that you accounted for this
possibility, that would be my first guess. And as I said at the outset,
this is EXACTLY why I get nervious when I see multiple subnets on a small
network. It's so darn easy to screw it up if you're not 100% sure of what
you're doing. The instinctive reaction of a new user is to assume the DHCP
server on each network will automatically configure clients without crossing
the Ambit Cable Modem Router. Wrong! You have no such guarantee. That's
why I recommend that you disable all the DHCP services except for ONE.
Perhaps the Ambit Cable Modem Router is the naturally choice for DHCP.
Sounds to me like your trying to prevent access to each other's network
based on subnet. To that end, perhaps the Ambit can be configured to assign
IPs based say, on MAC address.

Frankly, using subnets in this fashion is a weak solution. For example,
nothing prevents a smart end user from simply changing their IP manually to
a valid IP on the other network. If they do, they're in! A better answer
is to use MAC filtering.

But at the end of the day, trying to support multiple DHCP servers, AND,
having them accessible across networks due to the share switching of the
Ambit Cable Modem Router is bad, bad, bad, you're asking for trouble. I
believe this is why when you remove one or the other subnets from the cable
modem, everything returns to normal. YOU'VE EFFECTIVELY RETURNED TO ONE
DHCP SERVER (although you don't realize it as such). As soon as you hook
the other subnet back in, WHACK, it's now a flip of the coin which DHCP
server services any given client on either network. Trouble city.

If separation is truly important to you, the *best* solution is to have each
have its own cable modem, and it's own static IP. Granted, that adds cost,
but it's the right solution. As soon as the two subnets share the switching
of that one modem, you're in for headaches. It's either that, OR, have each
subnet use the DHCP services of the cable modem. And keep it simple, use
one IP scope, one gateway IP, etc. Doesn't have to be the cable modem, the
Symantec F/W or D-Link will serve just as nicely, doesn't really matter in
the long run, just as long as it's ONE DHCP server, no more. But if you use
the cable modem's DHCP services, at least you can disconnect either the
desktop or wireless side and not effect the other.

If you want to prevent access across the desktop and wireless networks, then
use the firewall features of each subnet (Symante and D-Link respectively),
perhaps based on MAC address. Yes, I know it's tempting to use IP, but
you're only fooling yourself. As I said, the IP can be changed manually
anyway. You only truly prevent access by keeping the subnets PHYSICALLY
separated. Anything else, like IP scope, MAC filters, etc., is problematic
(heck, it's not that hard to spoof the MAC either if someone simply Google's
for the software!). But if separation is CRITICAL, I would spend the money
and get another cable modem and static IP, that's the right solution. Avoid
any situation where you have a redundant DHCP server, firewall, NAT, etc.,
that's a recipe for disaster. Additional switches and hubs are not a
problem, but DHCP and the rest are.

If nothing else, just as a test for stability of connectivity, try using
ONLY the DHCP server on the cable modem, disable all others (including NAT,
if applicable). Don't worry about the fact each subnet can see the other,
just use ONE scope that both networks share. This is JUST an experiment!
Now see if communication is stable. If it is, then it's definitely the use
of multiple DHCP servers that's the problem. It's not something physical,
like specific equipment, cables, inteference, etc.

HTH

Jim
 
Back
Top