Intra-site routing, or how I gave up worrying and started to love the…VPN?!

Something I’ve been fighting with on and off for months now is how to properly route traffic around our site.

Please bear in mind that I’m an IT Manager, I’m not a network technician, but then I’m not that in the same way I’m not a web developer, sharepoint developer, tech support guy, wireless installer and so on.

So anyway, we use Draytek hardware, not sure why, it’s been here before I joined, so I carried on the trend.  And you know what?  I’m actually quite happy with the kit, it’s really not bad, and not expensive either.

Initially our network was laid out in a star configuration, which was fine, but there were a couple of intra-remote site VPN links. These were quick and dirty and used to push VoIP traffic between remote sites. My own thought was that we should be able to natively route traffic all around our sites via the routers routing tables. Our DC hosts DNS, so what not.

How hard could it be?  Tell that to a guy who’s spent days configuring a VPN trunk on the new Draytek 2930, only to find that it simply does not work as expected.

The basic premise was not to convert the star into a mesh, rather to allow remote nodes of the star to talk to each other.

This is what we had to start with;

Each box is a site, each line is a VPN tunnel, and you can see that in order to link remote sites we instigated extra vpn tunnels. There was no additional programming to tell traffic which tunnel to flow down, and to be fair I think we were expirencing a fair bit of packet loss, or at least packets flowing down the wrong link.

Knowing a little about routing, but not so much that I could click my fingers and have the answer I had to plug away.

Well, this week I found the Draytek version of the solution at least!  There are few articles on this type of routing, and the manual is not the most helpful, so it eventually boiled down to a little trial and error. And for those of you who have the responsibility will agree, that making changes to routers that are in situ tends to upset the locals!

So I created two test sites, two routers, a pc on each, and had myself free reign to tweak settings and try to get the our routing requirements up and running.

What I was striving for was this.

A far more natural layout to the network, a single VPN tunnel per site.  But what if I wanted to have a device at Newquay communicate with a device at Lands End?

I won’t be posting our VPN link configs here for obvious reasons, suffice it to say that we used highly encrypted secure tunnels to link each site. And for the most part they are pretty reliable, but when the connection is lost the VPN will re-establish quickly when a connection returns. All that’s left is a dodgy line or ADSL connection.

So back to the matter in hand. My device is sat on say 192.168.2.103 and would like to see it’s master control system on 192.168.3.99

Historically we’d have two VPNs setup on the 192.168.2.0 and 192.168.3.0 routers, and traffic would take it’s chance.

This week I discovered the “more” setting on the TCP/IP setting section of LAN to LAN connections allows routes to be added down the VPN tunnel.  Previously enabling RIP on the links showed a route on the routers routing table, but these links weren’t reliable. Adding in an extra VPN connection is clunky, but the extended configuration of the TCP/IP section allowed me to add routes to other remote sites.

For our network I added an extra route per remote site, for example on 192.168.2.1 I added;

192.168.3.0 / 24
192.168.4.0 / 24
192.168.5.0 / 24

And so on.

RIP [on the LAN to LAN profile] was enabled, and the first subnet to remote network setting was left on Route

Dropping the VPN tunnels and allowing them to reconnect then gave a magical moment (sorry for the ham, but this has taken so long to sort out it’s a blessed relief) where my pings started getting replied to!

I have since rolled this out to all routers, and the main driving force behind this setup (apart from a tidier network) a clock-in machine at Newquay, can now see it’s parent device at Lands End.

This just further solidifies for me the fact that the Draytek routers are a great product and can be called upon to make even the more complex of networks tick without much effort…..provided you know how to program them that is!!

Leave a Comment

THE PERSONAL BLOG OF CORNWALL-BASED COMPANY DIRECTOR // CHRIS RICKARD