Best setup for routing between 6 subnets plus internet?

[nutso]

Hi all,

There is a chance that we might end up with up to 5 feeder schools connecting in to our site via leased lines, and we would house various services here for them to access and be used as a gateway for internet access. The schools also need to have the option of being able to connect to each other. Each school has its own subnet, so I'm thinking that I would need to be able to route between the 5 schools, a DMZ, and the internet.

My question is: what is the best way of achieving this? Does anyone know of any particular hardware that would handle this well?

[jamesfed]

Sounds like its a VPN connection setup that is needed (all feeding into your main site) - this way you could share secure services without having them posted on the internet.

[nutso]

I don't think I understand why a VPN would be necessary? The connections between the schools would be via leased line, direct in to the school and not over the internet. In that respect it would already be a private network. I might be missing something, but I think the issue is finding the best way of routing between so many subnets.

[jamesreedersmith]

A router!

[nutso]

Yes, but which! I know my way around IPCop but that only supports 4 interfaces, and I have no experience of anything that might be able to handle 7.

[nicholab]

You need to deploy a device that can control traffic between sites as well as the internet. I would look at these rather than Cisco as they do more for the money www.vyatta.com | or these http://www.firebrick.co.uk/products_6000.php

[gshaw]

Yes, but which! I know my way around IPCop but that only supports 4 interfaces, and I have no experience of anything that might be able to handle 7.

pfSense might be able to handle a few more interfaces than IPCop, could be worth a look

[Geoff]

Each satellite site needs a router. This will be your gateway for the subnet at each site. These pass traffic on to your main site. Your main site needs the same setup however it also needs static routes setup to route the traffic from the satellite sites in/out through the main site. Things get a bit more complex if you have a DMZ or if you want the satellites to be able to talk to each other. But that's the basic idea.

[jamesfed]

I don't think I understand why a VPN would be necessary? The connections between the schools would be via leased line, direct in to the school and not over the internet. In that respect it would already be a private network. I might be missing something, but I think the issue is finding the best way of routing between so many subnets.

Do ignore my post I thought the lines were just out onto the web and not direct into the school site.

[nutso]

Each satellite site needs a router. This will be your gateway for the subnet at each site. These pass traffic on to your main site. Your main site needs the same setup however it also needs static routes setup to route the traffic from the satellite sites in/out through the main site. Things get a bit more complex if you have a DMZ or if you want the satellites to be able to talk to each other. But that's the basic idea.

Actually this was another thing that I wasn't certain of - if each satellite site needed a router also. I haven't dealt with leased lines before but as I understood it they are just glorified fibre links. I figured that because you don't need a router to link two buildings with fibre, that I wouldn't in this case either and that I'd only need a router to handle traffic between the subnets. Did I get this wrong?

[m25man]

We have a TalkTalk Business MPLS circuit connecting all of our remote sites together, private IP addresses at each site all routing to each other through HP L3 switches.
The core switch at each location is the gateway address.

We all share a common Sonicwall Firewall managed by us to enable NAT/PAT from Firewall to any segment/host.

Mitel 3300 Phone systems at each site all linked to create a common voice platform over the MPLS.

The only problem with the entire system is TalkTalk... but thats another story.

[Geoff]

Actually this was another thing that I wasn't certain of - if each satellite site needed a router also. I haven't dealt with leased lines before but as I understood it they are just glorified fibre links. I figured that because you don't need a router to link two buildings with fibre, that I wouldn't in this case either and that I'd only need a router to handle traffic between the subnets. Did I get this wrong?

In the fibre case you cite routers aren't required because both building networks are on the same subnet. This is not the situation in multi-site setups as you put each site in its own subnet with its own router to route traffic in/out of the site as required. You do this because you don't want your (slower) intersite link bogged down with broadcast traffic (which is what would happen if you didn't subnet and route between your remote sites).

[cpjitservices]

Pfsense all the way - it will do what you want plus more - there are hundreds of packages to install too for monitoring etc etc so you could monitor each connection and there are packages in there for MPLS and OSPF etc etc

We have Pfsense boxes running networks at remote locations and have done for a long time.

It's free and does the job nicely, all you'll need is an old PC with enough NIC's.

[nutso]

Ah, good thinking on the broadcast traffic - that would be the point that I'm missing so I'd definitely need a router at each site. Then if I'm thinking right, I would need a suitable router to handle traffic between the different sites, and also out on to the internet. It's not exactly the most simple setup, but I think I'm getting my head around it

[Geoff]

It really depends on the speed of the links between the sites as to if broadcast traffic is a problem. The worse culprits are Windows PCs network discovery, printers, bonjour and ARP. IPX/SPX used to be terrible too, but hopefully everyones killed that off by now?