You are here

Network Integration

8 posts / 0 new
Last post
W9HDG
Network Integration

Ok, time for another one of my super crazy involved questions. I am working on integrating my two networks. My home network is on a class B 172.x.x.x network. I have a separate class C network 192.168.x.x setup for the MESH network operations. I have a static route pointing the Class A 10.0.0.0/8 network to a node in the 192.168.x.x network. I can ping both the 192.168.x.x address of that node and its 10.x.x.x addresses as well. I can't get any further than that in terms of pinging the IP address of another node I have setup. Nor can I get name resolution to work (I added the 10.x.x.x address of the hardwired node to my network as another DNS server). I might have an idea here and am going to try and tweak the number of "hops" in the static route to see if that helps.

Problem number 2: If I directly query the Mesh node's DNS server using dig I don't get a response either.

I'm stuck...confused...hmmm

The main reason I am doing this is to isolate the two networks. I want to be able to use my Laptop to browse both home and MESH services, and limit the MESH's access to my home network. I have that all figured out with firewall rules in my EdgeRouterX, I'm just stuck with the name resolution.

Ultimately what I'm trying to do is tie the two networks together like I would need to do at say the red cross or something to make use of a building's existing infrastructure and network.

AE6XE
AE6XE's picture
W9HDG,   
W9HDG,   

"I want to be able to use my Laptop to browse both home and MESH services, and limit the MESH's access to my home network."

What about limiting the home network  to the MESH network?    The current AREDN design blocks this access.  It would be like connecting to the internet and then anyone can start accessing everything on the MESH getting into part 97 licensing issues.

This is what many people are doing:   put your home network on the WAN port of the mesh node and your laptop on the LAN of the mesh node.   The laptop receives an IP address from the mesh node (a 10.x.x.x address) and the Mesh node receives an IP address from your home network (the red cross network, etc.) on the Mesh node's WAN interface.     

At this point, your laptop can browse to everything on the mesh network AND can access everything on your home network (assuming your home network's DNS is setup to resolve hostnames for what you want to access).    The home network can not get into the mesh network -- is blocked at the mesh node's firewall.  By default, no one else on the mesh can access your home network (internet, etc.).  If this is desired, then check the "Mesh Gateway" box in Basic Setup to allow others on the Mesh to access your home network.  

AREDN isn't configured to integrate with other networks, except in the above description and some other creative ways to munge the AREDN LAN network with another network.   It is linux and we can do anything from that perspective and enhance AREDN.  But we'd need to talk about specific ways in which AREDN would be integrated, e.g. enable a tunnel from an agency's network to go over AREDN from an incident site to a logistical facility.

Joe AE6XE
W9HDG
What I'm trying to avoid is
What I'm trying to avoid is cable switching. Sometimes I'm wired, sometimes I'm wireless. I want to run a PBX server and be able to access it using a softphone I have installed on an old android phone from my wireless.

It seems to me there should be a way to integrate the two networks (perhaps in a more advanced setting somewhere) that would allow me to do this.

AREDN may block access from my home network by itself, but I want to allow devices on my network (that I control) to be able to access the MESH stuff. I also don't want to have throughput bottlenecked by what the MESH gateway box is capable of routing because sometimes I move some really large files around my network.

I understand the part 97 considerations, and appreciate the steps that have been taken to help protect that, and maybe I need to re-evaluate what I am trying to do, but it seems to me that I should be able to define a static route somehow and merge the two networks and then block all access from the home network to the mesh via firewall rules in my EdgeRouterX allowing only specific traffic (port 8080, the PBX stuff, etc) to go from the Mesh to specific clients on the Home network through MAC filtering (yes I know this can be spoofed), etc.

Yes I can setup an AP on the Mesh network and have my laptop connect to that wirelessly, along with the old phone and stuff like that, but I don't want to have multiple SSID's flying around.
k0tan
k0tan's picture
Mesh and Home network

Joe, an issue I have with my ThinkPad laptop wired only to the (NS-M5 Secondary) Node is that I don't have access to the rest of the devices on my home network.  So, for example, I cannot print to the wired network printers, access my NAS, or other computers.  I get around this by having a USB-Ethernet adapter.  My Local Area Connection is wired to a switch in my home network, as is the NS-M5 via PoE, and the USB-Ethernet goes to the NS-M2 Secondary port getting a 10.xxx ip, which allows my Node access to the Mesh (and a tunnel).

I am considering a 2nd WiFi AP for the Mesh, allowing access by phones, computers, etc.  Another option is an AirGateway Installer (which I have).  I'd like to avoid buying stuff I don't need, of course.  As always, thanks for the help!  My network is mostly wired, but having two SSIDs wouldn't be an issue. Grandstream GXP-2000 due tomorrow, which will be wired, of course.

Any thoughts appreciated!

Charlie KØTAN
Lake Havasu City, AZ

KE6MTO
Mesh and Home Network using a firewall

The way I archived this was to use a router/firewall that I can configure multiple "WAN" ports. One WAN port is NAT'd and the default route for the router. The 2nd interface connects to the AREDN LAN segment. That interface too is NAT'd (so basically treating it's as an "internet" connection). I have a 10.0.0.0/8 route out that interface, next hop is the AREDN LAN address. I use a rule to only allow my laptop to communicate out the AREDN interface so I don't have to worry about other machines generating traffic on that interface. 

To solve the DNS resolution for the AREDN network for my laptop I have a layer 7 rule that looks for DNS packets with the DNS suffix included, if found sends those DNS requests to the AREDN node instead of the default DNS servers.This configuration has been working well since I setup my node a couple of months back.

Chris

 

W9HDG
Chris,
Chris,

It sounds like you've accomplished what I'm trying to do. I do what to ask you about your layer 7 rule though.  Firstly, what sort of equipment are you running for your router/firewall to put that sort of policy in place?

Secondly...any idea how to implement that on a Ubiquiti EdgeRouterX? If not...any suggestions as to where to start looking?

Thanks in advance.

~Travis W9HDG
KE6MTO
RouterBoard 450G
I'm using a RouterBoard 450G running RouterOS. Really any of their hardware with multiple ports (3+) would work. I just needed something that supported 1g. My AREDN node is actually connected to a RouterBoard PowerBox on the mast. RouterOS has lots of options, one of which is at layer 7.

Chris
kk4hpy
I know you guys are trying to

I know you guys are trying to do something more complicated but I have a simple setup that works.
My laptop Wifi connected to my ISP router's wifi  and my laptops ethernet jack is  connected to the switch where all my nodes are.  The switch with the nodes is also wired to my ISP router as the switch's WAN connection.  The ISP lan network and the mesh node switch Lan are isolated from each other but my Windows 10 laptop is on both networks at the same time. Both networks have a dhcp server, the mesh nodes on their side and the ISP router on the other side. Everything on both sides has internet access.  Nothing on the mesh node switch can access anything on my ISP router lan and vice versa. 

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer