Static Routing - any routing gurus here ?

[baldrick]

I have a network with the main router being the internet facing gateway. I have added another router gateway with its WAN connected to an untrusted LAN network.
the untrusted LAN and WAN have static IP's in the 192.168.222.x range.
the trusted network is in the 10.168.222.x range , with the LAN side of the main gateway being 10.168.222.1 and the new router being 10.168.222.12 .

I added a static rule to the routing table on the main gateway.
destination 192.168.222.0
mask 255.255.255.0
gateway 10.168.222.12
metric 0
interface LAN

the new router has the 192.168.222.0 rule in its routing table and knows it is the WAN , but I even tried adding firewall and IP masquerading rules pointing to the WAN just in case.

the new router will ping the 192.168.222.x network fine , also the 10.168.222.x .

tracert to 192.168.222.x goes to the main gateway and is flung out its WAN to get lost on 'tinternet.

WTF ? I has assumed any addressed packets to the 192.168.222.x network would arrive at the gateway and get passed onto the LAN of the new gateway where they would be passed to the WAN then onwards to the machine in question.

any ideas as to where I am fcuking up ?

[Marmite the Dog]

Mummy. My head hurts.

[Butterfly]

ask CMN, he is an expert

why doing firewall routing (some kind of NAT I am assuming) on the top of the hard routing ? that could be the source of your problem here,

also what are you trying to accomplish really, difficult to say from the first sentences already

[baldrick]

also what are you trying to accomplish really, difficult to say from the first sentences already

30 IP camera network that is now going to have a "securitah" monitoring station.
I originally just put the monitoring PC outside and forwarded to the cams inside , but was only able to have 20 ports concurrently forwarded so that put paid to that idea.
so I have parked the switch outside now and the connected it to the WAN port of what will be the firewall to the cam network. But I need to be able to VNC/admin to the monitoring machine , cams and routers outside and also forward from 'tinternet to the cams etc.

I had the static routing working before , but I have gone and changed the IP subnets a bit and now the logic just don't seem to fly

I think I will just have to flush the routing tables on the router NVRAM and see if it was some leftover issue - though I can't see it in the routing tables

I have rebooted a few times thinking they will rebuild their tables , but maybe there is some gumpf left there.

[lom]

I originally just put the monitoring PC outside and forwarded to the cams inside , but was only able to have 20 ports concurrently forwarded so that put paid to that idea.

Your description of the setup is a bit foggy, I understand what you wanna achieve but can't correlate it with your setup.

Why don't you use 2 dedicated routers for the cameras giving you 2x20 possible
port forwards?

[daveboy]

Why don't you connect the 30 ip camera's onto a DVR/NVR with a ip licence then sit that on the network. Just make sure your doing it on a 1gb min network as that's a lot of bandwidth your sending out there.

[baldrick]

Why don't you connect the 30 ip camera's onto a DVR/NVR with a ip licence then sit that on the network. Just make sure your doing it on a 1gb min network as that's a lot of bandwidth your sending out there.

the network Video recorder and Multiwindow Viewer are a desktop computer - I prefer to have the versatility of a computer than an appliance.
bandwidth - the cams are 1/3 ccd's encoding MPEG4 class 2 at CIF ( 352x288pix ) and 10fps. - max about 500 kbits per sec. 30 cams on a 100 meg network is fine. The only stutters in real time viewing are because of wifi issues (minimal ) , but the recording is fluid as the cams buffer. about 20 cams on wifi with 10 APs on the network the rest 10/100 LAN.

megapixel IP cams encoding to H264 ( MPEG4 class 10 ) will get the bandwidth down 6-10x , but the corresponding need for processing power to decompress the video at the Viewing end on the fly.

Your description of the setup is a bit foggy, I understand what you wanna achieve but can't correlate it with your setup.

Why don't you use 2 dedicated routers for the cameras giving you 2x20 possible
port forwards?

I had considered 2 routers , but I know it can be done with 1 and it lowers the complexity a little of the network config

the basics are - 30 cams plus desktop on a LAN which has a connection to the WAN ( static IP ) of a 54GL ( tomato firmware ). The LAN ( static IP ) of the 54GL is connected into the office LAN.
the office LAN also has a 54GL with its WAN connected to an ADSL modem running as a full bridge with the 54GL controlling the PPPoE connection.
any requests to the cam network need to be sent to the 54GL that is the gateway between the cam LAN and the office LAN - this I expect to include ports forwarded from the internet to the IP's of cam on the cam network so viewing can be done via remote computer or mobile phone.

I will do a full flush of the NVRAM later today as I am also having issues with the VPN server that is also running on the internet router and the command route -n is not showing my static route , so I am suspecting that there is some leftover in the system from some previous fcuking with the configuration.

[daveboy]

In that case why don't you use dynamic routing rather than static as its much more fault tolerent.

[The Fresh Prince]

Bugger, I clicked on this thinking I could help after Loms teachings but here is the noise that just rushed past the top of my head "Wooooooooooooshhhhhhhhh"

Luckily Loms here, he'll sort it.

[baldrick]

NVRAM flush seemed to do the trick

though I have not fully checked access from the internet yet

In that case why don't you use dynamic routing rather than static as its much more fault tolerent.

the dynamic routing is fine for the normal office network traffic that is on the same subnet , but the other network is on a different subnet and also only accessed via the secondary gateway.

the packets will go first to the main router and if I did not have a static route with a low metric they would just get passed to the WAN and onto the internet , whereas I want them to be passed from the main router to the secondary router.

[lom]

54GL ( tomato firmware ).

Ever considered loading your 54GL with dd-wrt?
I've never run out of forwarding rules on mine, I think I once had around 50 rules
defined.
Their documentation says it has no fixed limit, it's only a matter of available RAM.

[baldrick]

54GL ( tomato firmware ).

Ever considered loading your 54GL with dd-wrt?
I've never run out of forwarding rules on mine, I think I once had around 50 rules
defined.
Their documentation says it has no fixed limit, it's only a matter of available RAM.

The Tomato forwarding page allows at least 50 , I have run into the stop before , but it is 50 odd.

the problem was only 20 could be in action at once , though if you are not streaming traffic it might not be noticable.
what would happen was a camera would Hiccup with its stream - normally a wifi issue , and the another camera would jump in and start.

Tomato is just what I started with and am used to , I have not tried DD-WRT yet - so little time

[lom]

Tomato is just what I started with and am used to , I have not tried DD-WRT yet - so little time

Tried Tomato around 2 years ago - it was okayish.

Today i swear by dd-wrt so it could be interesting to hear your opinion about it considering you are used to a more recent Tomato.

[daveboy]

the network Video recorder and Multiwindow Viewer are a desktop computer - I prefer to have the versatility of a computer than an appliance.

Your just trying to do it on the cheap be honest.

[baldrick]

Today i swear by dd-wrt so it could be interesting to hear your opinion about it considering you are used to a more recent Tomato

not the time to play with it - though I might flash this unit I have here once I have another issue under control with it. It is running a a wireless client and I am also trying to get it running as an openVPN client but the WAN does not seem to want to fully be the tap interface. The other unit that I am having the routing issues with is running an openVPN server nicely and I can get an un NAT'ed tunnel between the 2 54GL's but the LAN on the client is not behaving.

I still have not worked out fully my routing issue with the other unit as I have not managed to get the forwarding to route to the secondry LAN - it is a bit strange as from the unit itself I can ping and tracert to the secondry LAN no worries , but forwarded packets seems to get lost - I am not sure how I will try and tracrt them yet.

Your just trying to do it on the cheap be honest.

how many of the appliances do SNMP ? nothing like being locked into the vendors firmware etc.

one of the best things about the IP cameras are their versatility.

[daveboy]

how many of the appliances do SNMP ? nothing like being locked into the vendors firmware etc.

All of the pc based nvr's can and record at higher resolutions there powerful machines designed for recording anolog or ip cams.
Tell me baldrick are you an IT professional.

[baldrick]

Tell me baldrick are you an IT professional.

no - just an Amatuer - I am normally an Instrumentation Tech.
I have just been doing the network design/config for a company startup that is into IP cams ( china manuf - CCD's ) . A lot of it is Wifi to enable getting to those areas where it is hard to ( or very expensive ) to install cable . I have successfully set up WDS ( wireless distribution system ) with multiple AP's and Wifi IP cams now - Tomato Firmware on WRT54GL's. I have also set up a mobile unit which can be local/remote viewed/recorded with HSDPA as the internet link ( will be trying HSUPSA in the near future - 1.8 - 5.6 Mbits/sec uplink - and I have tested 802.16(e?) but this has not been encouraging though I am not sure if it has been deployed fully and correctly yet , but the new centrinos will have WiMAx onboard which will encourage operators ) - H264 is going to reset the boundries in this department. These small IP video encoders with H264 and if I can find one with miniPCIe interface onboard for optional HSUPA/WiMax modem card , will make an ideal mobile DVR for taxis etc. Orwell's 1984 is arriving quickly.

All of the pc based nvr's can

I think I can build a machine and load the required software on it for a much cheaper price.

[daveboy]

Thats clever stuff baldrick your right about that H264 codec hd mobile video can't be far off. Please let me know how you get on with your project I would be very interested.

[baldrick]

just a quick note

my routing and forwarding issues were cause by a bug in the VPN build I was using - new build from the developer has sorted the problems

dave - I have not found a single channel video H264 encoder yet , but I should get to look at a 4 channel unit soon, mobile with removable HD and SD slot - it has audio ,232 , 485 , RJ45 and 2 USB host slots also. It is running embedded winXP so there is a chance drivers for the Huawei USB HSUPA could be incorporated.
though there is a Huawei unit ( part no. d100 ) which will accept a Huawei USB modem and has a RJ45 port ( wifi also ). - only seen in the wild in the UK with 3 , no one here in Singapore or China has heard of it - fcuking sales , can't get hold of a tech.
I have been using a Huawei e960 for mobile HSDPA access though they said last night it could be upgraded to HSUPA ( 1.8meg up ) so I will be testing this week.
I would rather be using the D100 as I run the VPN server/client on a WRT54GL which is a 4 port router anyway.

the 4 channel unit combined with HSUPA modem would be the ticket for Bus monitoring with the ability for both local and remote recording/viewing - gps , audio etc etc.

[daveboy]

I use the Huawei tech support online is not a bad service.