I have been racking my brain around a current networking project that I need to complete in the next few weeks while meeting the objectives below:
Connect two different sub-nets (192.168.30.0/24 & 192.168.63.0/24) together at one of my locations to my Balance 380.
Create an IPsec tunnel to a remote site for the 192.168.63.0/24 network to utilize. (I know this can be done with an Outbound policy, setting one for the path to utilize the IPsec tunnel).
Isolate the IPsec tunnel from my network, only allowing access to the 192.168.63.0/24 network. The remote network already utilizes multiple sub-nets that I have currently deployed (and cannot change) and do not wish to grant additional access to my LANs.
I would like my sub-nets to have the ability to access the 63 network and vice-versa, but the IPsec tunnel traffic can only access the 63 network.
Any proposed network equipment for building B preferably needs to take native DC power (either 12V, 24V, 48V), the MAX-BR1-T is my current plan if a router is needed (cost effective), as there is already an extensive DC power system with battery backup in place.
I have attached two PDFs, one is the current physical network. The second (Thought1.pdf) is my current thought for network layout, but not sure on the configurations needed to best accomplish this project. Thanks for any input the community may have.
Not quite. Here a bit more clarification. I am using PepVPN to connect my Field Offices to the main office. The other agency and vendor that we would be connecting the 192.168.63…0/24 network only supports IPsec. I am trying to get the to deploy a PepVPN capable router to easier connect our two sites, but don;t see that being a feasible option currently.
If it is just a wireless bridge (not going over the internet?, is this just a repeater connecting building a to building b?) Then you would not need to create a VPN. You would just need to create a static route in the B380…I.E:
Network: 192.168.63.0 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.30.2
Once created this will allow the B380 to see the 192.168.63.0 network and will be able to control it by firewall rules/outbound policies.
Question, with the static route you listed above, you had set the gateway to 192.168.30.2.
A) Does this infer that I need a router in building B with an assigned WAN ip of 192.168.30.2?
B) Or is the ip of 192.168.30.2 just used (internally) to route data between sub-nets so equipment with 192.168.63.0/24 address can be on the same physical LAN and communicate?
Configure BR1 WAN interface as IP Forwarding (if you are using BR1). Dashboard > Click “Details” of WAN > Click “?” of Routing Mode > Click “here” > Select IP Forwarding.
Add static route at B380. Network > LAN > Static Route Settings > Enter parameter below:-
Destination Network: 192.168.63.0
Subnet Mask: 255.255.255.0 (/24)
Gateway: 192.168.30.2
Typically, you would still need a layer 3 device. I.E. a switch or something that is adding this second network, in this case a switch or another layer 3 device will get a 192.168.30.x address from the main Balance (which will be the default gateway in the static route) and would NAT to 192.168.63.x address (network address in the static route settings).
Or if using VLANs you would just need a switch in building B that is capable of VLAN Tagging, as this would work as well. It ultimately depends on what equipment you currently have available in that building on which route to go or what device(s) you are planning on adding.
Thanks for the info. As far as hardware goes at this point in time, I could go either way, a managed switch (that support VLAN tagging) or I could implement a router. I’m just trying to figure out the best hardware combination to accomplish the objective.