First a little background..
(refer to this diagram http://sjfm.us/temp/network_topology2.jpg for specifics)
I have a little computer shop at a local Flea Market. In addition to my shop's NET needs, I also provide WiFi Hotspots for the entire Flea Market and I admin 2 different IP based Security Surveillance systems, one for the Flea Market and one for my shop..
There are three main subnets in play here..
As you can see by the above diagram, there are also 3 distinct LANs in play.
The Shop's LAN (upper left, 192.168.20.xxx)
The FM Office LAN (upper right, 10.1.10.xxx)
The Grid (lower, a mix of 10.1.10.xxx, 192.168.1.xxx and 192.168.20.xxx subnets)
Now, here is what I need to happen..
The EXETER workstation (upper center) has 3 NICs in it and must have complete unfettered access to all 3 subnets. That is my main workstation.
The FM Wifi Hotspot grid (192.168.1.xxx) must be completely isolated and ONLY have Internet Access.
The YORKTOWN workstation is the Shop's Security Surveillance server. It's on the 192.168.20.xxx subnet, but it needs to have access to a couple of The GRID's IP Cameras.. The workstations on the .20.xxx subnet must have NET access and that's all that is required. I also have (not pictured in the diagram) a Linksys WRT54G running DD-WRT that provides Wifi access to the net from the shop. This has a DHCP running but causes some problems for other subnets. More detail on that later..
Which brings us to.....
The LEXINGTON workstation (sensing a pattern?? :D) is the FM Security Surveillance server and has access to the 10.1.10.xxx IP cameras from The GRID and has it's Internet access thru the FM Office Comcast Account.
I have this setup and it does appear to work OK. The 192.168.1.xxx WiFi routers do give NET access to the masses, but sometimes (for no apparent reason) the DHCP server from the 192.168.20.XXX DD-WRT Linksys sometimes "gets in the way and gives out .20.xxx IPs to computers connecting that SHOULD have .1.xxx IPs. That DD-WRT router ALSO seems to give out it's IP as the gateway for ALL connections. The gateways SHOULD be .20.1 and .1.1 for the assosciated subnets...
So, basically I am left with a big mess that sometimes ALMOST works as required, but there are times (usually at the most inopportune moment) when the whole thing collapses..
If anyone has any words of wisdom (beyond sitting down and crying.. tried that. didna help.. :D) I awould be immensly grateful..
As I've read this it appears this entire setup could benefit from VLANs.
Have you done this?
The diagram doesnt show VLAN information and most likely (If implimented) help with troubleshooting.
As it is unless physically separating links and then using VPN is suggested (Between the individual networks).
Hi Samuel. Thanx for the reply..
Yes, this actually DID start out as a VLAN project..
I put in a LINKSYS RV082 to act as the "train yard for all the various connections...
I got some assistance from a tech friend in Chicago and he sent me an updated diagram on how HE would do things:
The weird thing is, when I set things up that way, the ONLY way it would work is if I had everything on VLAN1...
Of course, THAT confused me beyond all belief... :^/
I should mention that things are, right now, kinda of an amalgated version of both the first diagram and the second diagram..
If your VLANs are tagged for logical segmenting then each NIC in EXETER would need each connected to NIC to have the associated VLAN id configured. VLANs can easily add a signifigant layer of complexity but they also aid in reducing broadcast domain noise and help in troubleshooting.
The diagram that you're showing doesnt lend enough information to be able to advise.
Unfortunately, I am not at my shop right now so I can't give any more specifics..
I am wondering if my best course of action is simply to pull everything down/off/out and start from scratch.. One of the biggest problems I noticed when working with VLANs is that, with the RV082, DHCP was not available except for the default LAN, in this case 192.168.1.1
I am thinking I might replace the RV082 with a simple Linksys WRT54G running DD-WRT because I know that DD-WRT will allow VLANs with corresponding DHCP service...
Possible a rule set issue in the RV082?
Have you configured rulesets for the individual VLANs?
Make sure it has the latest firmware, is not buggy or faulty and confirm you have rule sets enabled for each config.
Make sure you know the ip ranges for both vlans
Click on Add New Rule
Action - Deny
Service - All Traffic
Log - Not Log
Source INterface - Lan
Source IP - Range and then set values to ip range of vlan 1
Destinatin ip - Range and then set values to ip range of vlan2
Click on Save Settings
Then repeat but reverse the source and destination ip ranges
That's the OTHER thing that is so wierd about this..
I don't have ANY rules set up... By all rights, it should be a massive failure..
Yet, it works like 85% fine.. There are just some minor issues here and there and then there is the reliability..
It's got me stumped...