0

I have the following set up:

My office is located out of town and unfortunately I can't get fibre. Fortunately, I have a mate in town who can get fibre. He has pointed a p2p WIFI modem at my place. His set up:

Internet
|
Cable Modem
|
Router (WAN: DHCP client: some internet IP DMZ Host: 192.168.20.100)
Router (LAN: DHCP server: 192.168.20.1/24)
|
p2p wifi modem
|

my office:

|
p2p wifi modem
|
Ubiquiti USG router (WAN: DHCP client: 192.168.20.100/24 GW: 192.168.20.1)
Ubiquiti USG router (LAN: DHCP server: 192.168.1.1/24)
|
Cisco 3750 Switch Port on VLAN 1 (LAN: DHCP client: 192.168.1.100/24 GW: 192.168.1.1)
Cisco 3750 Switch Port on VLAN 2 (LAN: DHCP server: 172.27.71.1/24)
|
PC (LAN: DHCP client: 172.27.71.100/24 GW: 172.27.71.1)

Cisco 3750 Switch Port on VLAN 3 (LAN: DHCP server: 172.27.72.1/24)
|
Server (LAN: DHCP client: 172.27.72.100/24 GW: 172.27.72.1)

Now in order to get it working I configured IP routing and DHCP on the 3750. This allow the PC and server to communicate via the Cisco switch as it is their common gateway.

In order to get internet access to the PC and Server I had to add TWO static routes...?

In the Ubiquiti USG:

172.27.0.0/16 via 192.168.1.100

And in my friends router:

172.27.0.0/16 via 192.168.20.100

This seemed strange to me, so I have triple checked and both routes are required.

Now we are getting to the questions:

  1. If the Ubiquiti USG is NATing the outbound traffic, then why do I need a static route in my friends router that refers to the 172.27.0.0/16 subnet, isn't this out of context?

  2. The Ubiquiti USG performs bandwidth accounting, but it doesn't list the server or the phone in its client list, it only lists the Cisco switch. If the Cisco switch does not perform NAT then why is the traffic being attributed to the switch?

  3. What do I need to change in my setup to make the USG aware of the devices connected to the Cisco switch - while still allowing inter-Vlan communication to occur on the Cisco switch?

I know I could get it to work by defining all the VLANs on the USG and running a DHCP server for each and just running a trunk to the Cisco switch (i.e. router on a stick) but then all the inter-VLAN traffic between the vlans would have to go via the USG and that is significantly slower.

Improve this question
4
  • 1. Why do you need 2 vlans if you want intercommunication? 2. Why do you need two Ubiquiti routers at your place?
    – Dessa Simpson
    Commented May 14, 2016 at 3:02
  • 1. Next step is implement access list on the cisco switch to limit inter-vlan communication so that each vlan is only allowed to access the dmz vlan 2. I don't have two routers I just drew it on two lines to show the two interfaces.
    – James
    Commented May 14, 2016 at 3:08
  • Hmm. I'm not sure how to approach this.
    – Dessa Simpson
    Commented May 14, 2016 at 3:13
  • Firstly can you see any fallacies in my statements? Secondly does my question #1 seem odd to you?
    – James
    Commented May 14, 2016 at 3:20

1 Answer 1

Reset to default
1
  1. If the Ubiquiti USG is NATing the outbound traffic, then why do I need a static route in my friends router that refers to the 172.27.0.0/16 subnet, isn't this out of context?

The route is needed so both routers know where to direct traffic destined to the 172.27.0.0/16 subnet, which is not part of their subnet.

  1. The Ubiquiti USG performs bandwidth accounting, but it doesn't list the server or the phone in its client list, it only lists the Cisco switch. If the Cisco switch does not perform NAT then why is the traffic being attributed to the switch?

That's because your Cisco switch does layer 3 switching which means that your router sees its MAC address as its point of contact.

  1. What do I need to change in my setup to make the USG aware of the devices connected to the Cisco switch - while still allowing inter-Vlan communication to occur on the Cisco switch?

It is tempting to suppose that replacing or eliminating the switch would simplify your setup and solve this problem. However I can't be sure since you may have reasons to arrange your 3 subnets that way, and it wouldn't be very easy to configure it differently.

Improve this answer
5
  • Thanks for your reply. With respect to question #1 if my router is NATing the outbound traffic, then in what situation does a packet ever arrive at my friends router with a 172.27.0.0/16 address as either the source or destination?
    – James
    Commented May 14, 2016 at 3:50
  • 172.27.0.0/16 is a subnet I use inside my network, my friend only uses 192.168.20.X If my router is NATing the outbound traffic then shouldn't my friends network never see any 172.27.0.0/16 addresses as my NAT will always rewrite them first?
    – James
    Commented May 14, 2016 at 5:44
  • I can't explain why you need the 172.27.0.0/16 VLAN. That's your infrastructure design.
    – Julie Pelletier
    Commented May 14, 2016 at 5:46
  • I'm not asking why I need the VLAN, I'm asking why the static route is necessary.
    – James
    Commented May 14, 2016 at 5:47
  • I'm not 100% sure, but I think that a tracert 172.27.71.1 and tracert 172.27.72.1 from the same machine on your side might give you a better answer.
    – Julie Pelletier
    Commented May 14, 2016 at 5:51

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .