I am trying to wrap my head around a hypothetical.
Say my business and my neighbors business each have internet individually. Say we want to share public network resources, but without the latency of the traffic needing to find the closest exchange to swap ISP’s and return.
We could set up a radio or run an ethernet cable to plug our routers into each other, but then the question is how to configure routing such that traffic originating from the LAN side of one network appears to be coming from the WAN side of the other.
I would assume a static route could be set up on each router to forward traffic to the public IP of the other business over the shared interface instead of through the default gateway.
Would “dumb” routers with static routes be able to handle this? Or would each building need a smarter multi-wan router?
This isn’t really what’s meant by a multi-WAN setup because there are still two separate devices each with a single WAN interface. What kind of logic are you wanting for one router to make the decision on where to send packets destined for the internet (default gateway)? Do you want to just switch the default gateway from one link to the other or do you want packets destined for particular endpoints to go out a particular interface?
To do this you’d basically just connect those devices to the other network where their default gateway is now that device instead of the other one.
Not really, no. Your router can’t see the public IP of your neighbor’s router (unless it is on the same layer 2 network on the public side of YOUR router, but most ISPs block that kind of L2 traffic I think). Your router can only forward to addresses that it can see layer 2 on its interfaces, so when it does an ARP looking for the IP specified in a static route, it can only find things that are directly connected (and that’s also assuming the router has an interface that’s in the correct layer 2 subnet corresponding to the route lookup). So really what it would find would be the local private interface of your neighbor’s router over the link between the two of you. That’s what you’d need to set as your default gateway, and that would effectively set up a double NAT for any devices behind your router.
This is what I am wondering as well. I realize that this is hypothetical and maybe I am not knowledgeable enough to understand the issue but I’m gonna try anyways lol.
Are we just trying to access the same “cloud” resources?
More or less, yeah, without routing traffic over the “public” internet. The trouble is getting each router to consider the traffic to be on the WAN side, so things like port forwarding point the traffic to the right place.
Sorta, yeah. In this scenario, both buildings would have a known static public IP address. I figure I can set up a static route on each router where all traffic going to the other buildings IP would get routed over the interface connected to the other buildings router instead of the default gateway, but I don’t know what is involved in configuring the receiving end to say “traffic on this interface should be treated as WAN traffic”
This is how I see it working in my head, but don’t really have any way to test it.
Building A:
internal: 10.0.0.1/24
public: 1.1.1.1
bridge: 10.1.1.1
Building B:
internal: 192.168.1.1/24
public: 2.2.2.2
bridge: 10.1.1.2
Bridge:
10.1.1.0/30
Then for routes-
Building A:
2.2.2.2 -> 10.1.1.2
Building B:
1.1.1.1 -> 10.1.1.1
The trouble is getting the routers on each end to know that traffic coming from the private interface then needs to be considered “public.”
So, What if you set up a VPN tunnel between the two sites. Then you could possibly route the necessary traffic from B through the tunnel to the internal network of A. Then on the A network add a route to send that traffic out the public WAN?
On a different path
Are these building actually neighbors? Would there be an issue with just sharing the same internet connection? I am sure there would be security implications but if firewalls are set up correctly then that would be diminished.
You don’t. If you have a static route for 192.168.1.0/24 in Building A’s routing table, then only packets destined for IPs in that subnet will be sent out the bridge interface. If you have a packet destined for 8.8.8.8 for example, then the local router will not have a route for that, so it falls back to the default route and will forward the packet out the local WAN interface without traversing the bridge. In what scenarios do you want WAN traffic to traverse the bridge?
I would be trying to keep the internal networks isolated. So traffic coming from A to B would still need to go through the B firewall, as if the traffic were coming from its WAN port. Same the other way around.
This is all part of the hypothetical. Routing traffic from one network to the other without traversing the public internet, but they are on two distinct networks.
Never. I just want traffic traversing the bridge to be treated as if it were traffic coming from the WAN interface.
Say building B had a web server. Normal WAN traffic arrives and the router forwards traffic on those ports to the web server on an internal address within its network.
In this case, I want traffic coming from building A to be treated exactly the same as if it were coming from building B’s WAN interface, such that building B can apply its normal port forwarding and firewall rules.
The gist of the effort is so that traffic flowing between A and B acts the exact same as if it were traversing the public internet, but instead of needing to route the traffic through an exchange on the other side of the state it just sends the traffic over a wire to the other side of a parking lot. I am not trying to marry internal networks or make internal resources routable, I just want to shortcut A->B.
I don’t see what needs to be done here. Are you trying to reduce hops? No matter how I look at it, it seems like you’re trying to use WAN resources regardless.
At this point, standard consumer routers won’t do what you need. You’d need to have two routers with a dedicated bridge interface, and potentially a lot more infrastructure involved depending on what you’re trying to access & how you’re trying to access it.
Yes. In all honesty the difference between 20ms and 400ms ping time will not make one lick of difference, but I am trying to think of how it could be made to work.
Something like the ubiquity edge routers? Or just any old multi-wan router?
Since this is all pretend, money isn’t an issue. I am just curious about how it would be done.
You can configure the router/firewall in building B to have similar rules as those applied to the WAN interface, but there’s no way to merge the interfaces in this way.
Port forwarding would only be necessary if you want to use NAT, which seems unnecessarily complicated for this. It sounds like all you really want to do is route with a firewall. This is exactly what routers do.
The router for building A would look like this:
Static route for internal LAN 10.0.0.0/24 - LAN interface (or equivalent)
Static route for building B LAN 192.168.1.0/24 - Bridge interface (the gateway for this route would be the bridge interface IP of the building B router)
Default route 0.0.0.0/0 - WAN interface (default gateway)
The router for building B would look like this:
Static route for internal LAN 192.168.1.0/24 - LAN interface (or equivalent)
Static route for building A LAN 10.0.0.0/24 - Bridge interface (the gateway for this route would be the bridge interface IP of the building A router)
Default route 0.0.0.0/0 - WAN interface (default gateway)
If your router devices are a router/firewall combo, then you should be able to apply firewall rules easily on the bridge interface for incoming traffic from the other building. Otherwise you’d need to insert some kind of firewall between the local LAN and the router on each side.