1

ISP-A : 4mbps (1:1) fiber leased line static IP address and ISP-B : 20mbps (1:8) fiber connection with dynamic IP address.

Little context to the situation, currently we have only one ISP (ISP-A) and as the bandwidth is not sufficient for everyone (around 25people browsing & accessing AWS/Azure) so our plan is to add another ISP to our local network so that everyone can browse/mail without complaining about bandwidth issues. ISP-B costs less than ISP-A for 20mbps as it's not a 1:1 connection and they don't have any SLA with us. Our office is divided into Devs and Non Dev users.

Dev Users

  • Majority on LAN & 3 on WiFi
  • Connect to AWS/Azure (needs to be connected as a fixed IP for incoming firewall policies for Instances).
  • Need to browse the internet (doesn't matter if IP is fixed at this point). Most of them do SO/Git/Bitbucket/YT etc.

Non Dev Users

  • Majority on WiFi & 3 on LAN
  • Browse the internet, use mail/hangouts/skype/teamviewer and don't need any static IP for whatever they use.

Once we get the 2nd ISP-B, I would like to channel all browsing traffic to ISP-B (20mbps) & all the devs connect to AWS/Azure via ISP-A (4mbps) for SSH. So my plan was to set ISP-A as WAN1 and ISP-B as WAN2, Eg:

WAN1 172.16.0.1
WAN2 172.16.1.1

What needs to be done is, everyone uses the internet via ISP-B. Devs use SSH (Port 22), Database connections (Port 5432) and some other ports which require static IP via ISP-A.

Equipment in use

  1. CISCO SG300-58 managed switch
  2. TP-Link single WAN Router
  3. 3x Ubiquiti Unifi APs

Proposed Equipment for Purchase

  1. Ubiquiti USG-Pro4 (to do Dual WAN)
  2. 2x more Ubiquiti Unifi APs

Total Devs : 10 Total Non Devs : 25

Instead of changing their default gateway, how can I make them use the internet (Browse) via WAN2 without setting up a Proxy Server?

user2967920
  • 121
  • 6

2 Answers2

1

So I got this done using a USG-Pro-4.

A custom rule needs to be implemented for this via SSH as the UI for it is not complete at this stage to manage these rules.

The idea is to Send port 22,5432 out via WAN2 and keep Internet traffic on WAN1.

Equipment

  1. Cisco-SG300-52 - Doing DHCP - 172.16.0.1
  2. Unifi USG-Pro-4 - Dual WAN Router on - 172.16.0.5/16
    1. WAN1 : Fiber mux on 192.168.1.2
    2. WAN2 : - Fiber to LAN media converter on 192.168.2.1
  3. Unifi AP - 3x Nos, get addresses via DHCP, unifi controller is used to manage groups/SSID etc.

Overview of implementation

  • LAN1 : 172.16.0.0/16
  • WAN1 : 192.168.1.2/29 Gateway : 192.168.1.1
  • WAN2 : 192.168.2.2/29 Gateway : 192.168.2.1

All traffic going from LAN1 out on port 22 and 5432 is sent out via WAN2 using the following rule on the USG-Pro-4, this allows browing to happen via the 20mbps line and all Database related work and SSH to happen via WAN2 (Static IP).

Example Configuration for the USG-Pro-4

configure
set protocols static table 1 route 0.0.0.0/0 next-hop 192.168.2.1
set firewall modify LOAD_BALANCE rule 2950 action modify
set firewall modify LOAD_BALANCE rule 2950 modify table 1
set firewall modify LOAD_BALANCE rule 2950 source address 172.16.0.0/16
set firewall modify LOAD_BALANCE rule 2950 destination port 22
set firewall modify LOAD_BALANCE rule 2950 protocol tcp
commit
save

You can use this Link to access the entire thread for configuration. A big tank you to UBNT-jaffe.

user2967920
  • 121
  • 6
0

There is no easy way to split the internet in half without also splitting your networks in half. Good news is that this sounds pretty much like what you were expecting to have to do anyway.

If you have VLAN100 set to use ISP A and VLAN200 set to use ISP B, then you can do inter-vlan routing to get full LAN access for both networks, and set your default gateways to the respective ISPs to control the internet access.

Now, if you wanted to do this so that all of your developers and non-developers were on the correct VLANs regardless of whether they were plugged in or on WiFi, there are multiple ways of achieving this.

For your WiFi, you could use WPA2-Enterprise authentication with a RADIUS server that specifies which vlan to put the user on. Essentially instead of having the same shared key to connect to the WiFi, users connect with a username and password. The username they provide indicates which VLAN they will be put onto. Ubiquiti UniFi (good choice, btw) can absolutely do this.

The other option for WiFi would just be to have two SSIDs, one on each VLAN, and you just instruct your staff to connect to one or the other. UniFi can also do this very easily.

For your wired connections, you can use 802.1x port-based network access control. Essentially this is similar to WPA2-enterprise. When a user plugs into the network, the operating system detects that you need to do 802.1x authentication and prompts the user for a network username/password (or it passes one through in the case of Active Directory and Windows). Once authenticated, 802.1x will put the user on the appropriate VLAN. This way users can plug in wherever they want and still end up on the right network.

The other option, if your users are static, is to just manually assign port-based VLANs to their ethernet port and that way anyone who sits down and plugs into a given port will end up on one of the two networks.

With this setup, the devs would connect to AWS/Azure directly via Terminal/Putty without any issues but they would also browse via the same gateway which would be slower.

This is a difficult problem to overcome. If you have a very specific set of IP addresses you are connecting to, then some routing rules could come in handy. But what tends to happen then is if you have a basic SPI firewall they will often drop the return connections because they didn't see them get initiated (asynchronous routing).

But it sounds like the devs are not going to be any worse off than they are now. Right now you're shoving 35 people down the one 4Mbps pipe. Now you're only shoving 10 people down that pipe, so it might still be a win.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255