ForceBindIP (Second Internet Gateway problem)

[Old Raft]

I recently added a second Internet gateway to a LAN, (Network "B")  the first gateway being on a different subnet. (Network "A") 

One reason for the second Internet gateway (on "B")  was that the link between the two Class C subnets (A to B) is a slow link   approx  2 Mbps. 

(my own theory on slow links between two networks is that with multiple requests to access the other network, Ethernet is soon overwhelmed with retries bringing the requesting network to a standstill) 

I soon realised that getting applications to use this second Internet gateway (on B) would not be quite as easy as I thought as the default gateway (on B)  was the interface of the network router i.e.  not the IP address of the existing Internet gateway which sits on a different subnet (A)  beyond this router.

Searching for such things as "two different Internet gateways"  and variations on the same theme got me lots of info on routing in Windows, using two network cards, adding additional routes to the Windows routing table, Windows failing over from one gateway to another (this failing over does not allow you to use both gateways)  etc.   None however appeared to fix the problem of forcing an app, say Firefox or Chrome or Email to use the Internet gateway on B.

I then came across a freeware app called ForceBindIP, this command line app allows you to force an application to use either a specific NIC (if you have two or more) or a specific IP address.

The trick being when I get to the network again, to give the single network card in a PC, two IP addresses, then assign the second address a different default gateway, This different gateway being the IP address of the new Internet gateway. ForceBindIP can then be be used to assign (bind) to the second IP address which uses the new Internet gateway as it's default gateway. 

This for the moment is fantasy, it is possible to assign several IP addresses to one card in say IPv4 properties, and to assign this a different default gateway, if ForceBindIP will use this second IP address and therefore the second default gateway and work with Firefox, Chrome and Thunderbird is yet to be seen.

If you have managed to follow this discussion then you will see the problem with using the second Internet gateway on an existing network with an existing default gateway.

You may have alternative suggestions which is the config is simple for a guy who never finished reading his CCNA books, would be acceptable.

PS  Yes there are enough IP addresses left to give each PC a second address.  

[Stuart Livings]

Hi Eric,

Could you describe in detail how the two networks are currently connected?  I think understanding this is the key to coming up with the correct solution.

Stuart

--
You received this message because you are subscribed to the Google Groups "Reading Hackspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to reading-hacksp...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Eric Rowen]

There are four Class C subnets connected in a serial fashion

W  ------  X  ------   Y   -------   Z  

(IG1)     (IG2)

IG = Internet gateway

X & Y have two routers

W & Z  one router each

PC say at    X  has one IP address and default gateway configured as standard  (via DHCP) 

W  has the original Internet gateway (IG1)  in use by all subnets  i.e.  W,X,Y & Z

X   has the new Internet gateway  (IG2) 

I assume that routing tables at  X   and Y   take traffic to  W  or   Z  etc.  even though only one default gateway is configured on a PC.

If possible I would like to have to configure just PCs to guide traffic at X to IG2, but the default gateway configured i.e. one of the two routers at X is needed as there is traffic Internet etc. + WINS and DNS all along the route 

Hence the idea to configure a NIC with two IP addresses the second address having the IG2  IP address as it's default gateway. 

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hackspace+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Reading Hackspace" group.

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hackspace+unsubscribe@googlegroups.com.

[Ryan .]

Why two ISPs?

[Ryan .]

Or if not two ISPs why two gateways?

[Paul Lawrence]

I assume you want retain the link for communication between the two sub nets. If your links to the internet at sufficient it might just be easier to drop the 2 Mbps link and rather setup up a VPN between the subnet's running over the internet.

On the other hand if you absolutelly need the 2 Mps link, your better off using a router to direct the traffic based on either IP Address or port number or both.

[Eric Rowen]

The link     W  ----    X    and onwards to   ---   Y  -----  Z   ............  is slow   2 to 3  Mbps and can't be easily upgraded so Internet access from the original gateway to    X  ---  Y  ---   Z  is slow.

W & X  have most users  

Traffic   W  ---   X  is high

As mentioned I have found in the past that Ethernet saturates and falls over when lots of people try and access a slow link.

So additional Internet access at   X would solve traffic problem and to some extent redundancy + eventually when "superfast"  broadband is available then the Internet would be faster for comms than existing links.

-------------------------

Paul,  Yes, have to retain the existing ( 2 Mbps) links, even though as the Email host is external, traffic could go to the Internet from both locations.  The links are needed for other network traffic. 

---------------

To provide Internet access redundancy and comms via Internet  (VPN)  then eventually routers  needed but short term a purely PC based solution is needed. 

[Stuart Livings]

I think, for me, the simplest solution would be to use the Internet gateway at X for all internet access and use the site-site links only for traffic going site-site.

To achieve this:

On the DHCP server/scope for W:

- Set the default route to point to the local (W) internet gateway.

- Add static routes for the three /24s of X, Y, Z via the router joining W,X.

On the DHCP server/scope for X:

- Set the default route to point to the local (X) internet gateway.

- Add static routes for the two /24s of Y, Z via the router joining X,Y.

- Add static route for the /24 of W via the router joining X,W.

On the DHCP server/scopes for Y/Z:

- Set the default route to point to the site-site routers so that Internet traffic is pushed towards the X network to egress out of the X internet gateway.

On the routers joining W/X, X/Y and Y/Z:

- Set static routes for each of the /24s pointing to the relevant neighbour router.

If the routers are relatively smart you could run a simple routing protocol, which would potentially be easier than statically configuring the routes.

Stuart

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hacksp...@googlegroups.com.

[Stuart Livings]

Slight correction: I meant use the ISP gateway at X for all internet access for X, Y and Z, use the ISP gateway at W for internet access from W.

[Norro]

This sounds vastly overcomplicated.  There is no such thing as a class c, that is a mistaught term. If you have a windows domain on the other side of a slow link then you should add a 2nd dc on this side and use 'sites'. PCs should not be connected to multiple subnets and particularly you can't add ISP redundancy in this way.

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hacksp...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Reading Hackspace" group.

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hacksp...@googlegroups.com.

[Eric Rowen]

What do you mean by there isn't such a thing as a Class C subnet?

What do you mean by PCs should not be connected to multiple subnets? 

And which solution are you saying will not work, Stuart's  or mine using ForceBindIP ?  

PS.   The network (which I didn't set up but inherited)  consists of four separate networks each with a different IP address range   e.g.  192.168.2.x    192.168.11.y (Class C subnets?)   etc. separated by routers in a serial fashion.   It does not have domain controllers and works fine.  I would not have setup the network the way myself but it does work and for the moment I'm stuck with it.  

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hackspace+unsubscribe@googlegroups.com.

[Norro]

Network classes have not existed since 1993.

You shouldn't be adding routes to individual PCs, even through DHCP it is too fragile.  You should add routes on the routers, that's their job.

You can't do ISP redundancy through routing alone because the ISPs arn't in cooperation.  You need something extra to know when the links are up/down and change the routes. (some routers have this functionality but it will likely be 1 router switching between ISPs)

Stuart's solution will let you use the ISPs seperately and route internal traffic across the internal links. Except the routes should be on the routers not all the individual clients.

[Stuart Livings]

On 25/08/2016 08:40, Eric Rowen wrote:
> What do you mean by there isn't such a thing as a Class C subnet?

These days classful IP routing is basically dead. I disagree that
"there is no such thing as a class C" but Ben's sentiment is correct:
These days all networks are classless and it's only
convention/simplicity/laziness that means that /24s are in common use.

> What do you mean by PCs should not be connected to multiple subnets?

Again I disagree with this as a sweeping statement but again agree with
the sentiment. PCs can only follow one default route with different
operating systems behaving differently (and almost always
inappropriately) with multiple default routes.

To keep your network simple you should only ever connect a single PC to
a single subnet. You can connect to multiple subnets but you're likely
to make the network more complex and more difficult to resolve any
issues you find. Just don't bother.

> And which solution are you saying will not work, Stuart's or mine
> using ForceBindIP ?

In my opinion ForceBindIP is a solution trying to solve a problem that a
well designed network doesn't have. If you can get away without using
it (as I believe you should) then don't use it.

> PS. The network (which I didn't set up but inherited) consists of
> four separate networks each with a different IP address range e.g.
> 192.168.2.x 192.168.11.y (Class C subnets?) etc. separated by
> routers in a serial fashion. It does not have domain controllers and
> works fine. I would not have setup the network the way myself but it
> does work and for the moment I'm stuck with it.

Can you be specific about what those routers are, how they're connected
to each other (and the network switches) and how they're connected to
the ISP routers?

Please be aware that the more information you keep back the less
accurate anyone's answers will be, it's more useful to spend an hour
writing a detailed email than trying to simplify things.

Stuart

[Ryan .]

Draw a diagram maybe?

[Norro]

Well I say 'should' to follow best practice and avoid getting in horrible messes or having to go and check every individual PCs routing table :)

[Paul Lawrence]

What you might want to look at then is something like IPCOP between the network and internet gateway. It supports up to 4 Ethernet interfaces. Allow  it to route the required traffic over interfaces connected to the internet and your 2Mb link, rather than configuring each pc.

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hacksp...@googlegroups.com.

[Eric Rowen]

Paul,  Thanks, will take a look at it. 

To unsubscribe from this group and stop receiving emails from it, send an email to reading-hackspace+unsubscribe@googlegroups.com.

[Luke B]

If the internal traffic on the network is grinding to a halt, not just the traffic over the ~2mbps link then it's quite possible you've got a broadcast storm and without something like spanning tree protecting switch ports then all this broadcast traffic will continue to increase and eventually utilize all CPU on the router until someone reboots it or an internal guard resets it.

- A raspberry pi running a caching proxy with chrome/IE configured to use it results in less load on the internet link if clients are frequently visiting the same sites.

- Most applications have custom proxy settings, this can help you direct traffic when the destination IP address is not known or unpredictable

- Static routes can be used to steer application traffic if the app always connects to the same known destination.

- You can have multiple routes as default and prioritise them with metrics - route add 8.8.8.8 mask 255.255.255.255 192.168.0.1 metric 1

- Windows networking is quirky and somewhat fragile at best so 3rd party software as network duct tape will create more problems than solve :)

As your routing between subnets and allowing clients to talk without any firewall (i assume) a layer2 connection between sites may be more suitable (providing possible) with all clients on the same subnet. Cisco 2811s are peanuts on eBay these days, might be worth looking at those if you need reliable, flexible infrastructure.

On Wednesday, 24 August 2016 12:27:29 UTC+1, Old Raft wrote:

[Eric Rowen]

What do I need for the Pi proxy server, which version of Pi? (presumably latest?) RAM? how many Ethernet connections (two?) what version of Linux?  and any specific utility to enable the proxy/caching?   Will this need to be on it's own subnet or just another address on the network? 

Any did you omit Firefox for any reason other than Chrome and IE came to mind first?