Link Technologies, Inc provides Network Design / Engineering / USA based ISP in High Availability Network

Customer Environment

The operator maintained more than 20 POP sites, each with 1–10 Gbps Internet connectivity sourced from one of two primary upstream providers. They controlled a /19 and a /22 of public IPv4 space, but provider requirements restricted announcements to /24s, limiting flexibility and efficient IP utilization.

The operator also incurred significant recurring cloud costs. Core platforms (UISP and other operational servers) were hosted in the cloud, requiring:

• IPSec tunnels from 20+ POP locations back to cloud infrastructure
• VPN access for staff into cloud-hosted systems
• Continuous data transfer for monitoring and management

Because all sites and employees accessed centralized services over VPN, the operator paid monthly data-transfer charges simply to monitor and operate the network—costs that grew as additional remote staff were added.

LTI Solution Overview

LTI designed a data center–centric architecture to centralize Internet transit, routing, security, and server infrastructure while maintaining full redundancy and operational resilience.

Customer-staged data center hardware:

• Four bare-metal servers
  • Customer-supplied servers
  • RAID5 with SAS drives
• Two MikroTik CCR2216 routers
• Two MikroTik CCR2116 routers
• Two MikroTik CRS326-24G+2Q+RM switches (Fiber)
• Two MikroTik CRS326-24G-2S+RM switches (Management)

LTI provided end-to-end design and implementation guidance, including MikroTik and EdgeRouter consulting, configuration of all site routers, modernization to a more redundant architecture, improved monitoring, and training for ISP staff.

Core Routing, Firewall, and VPN Design

BGP / Edge

LTI connected two CRS305 switches—one to a 100G upstream and another to a 100G cross-connect with the Layer 2 provider—delivering additional capacity across the network. BGP was configured on one CCR2216 edge router, with double-tagged VLANs per the Layer 2 provider to integrate both CCR2216s into the edge stack. CCR2116s were placed in a ring configuration with 10G cross-connects to ensure bandwidth availability and high availability. A second BGP edge session is planned for redundancy.

• BGP configuration and edge policy implementation
• Firewall protection for network devices and critical assets
• Redundant CCR2216 capacity reserved for future BGP sessions
• Redundant VLAN distribution to POP sites as part of the HA roadmap

CCR2116 Firewall and VPN Layer

The CCR2116 pair was designed as a redundant security layer behind the edge stack to handle data-center tasks such as VPN services, tunnels for non-cutover sites, firewalling, and zero-trust controls for the virtualization cluster.

Redundant routing and security architecture delivered:

• CCR2116 pair configured as primary firewall and VPN gateways
• Secure tunnels from remote POPs into the unified data center
• Remote-access VPNs for staff with controlled access to resources
• VRRP for IPv4 and IPv6 gateway resiliency
• Zero-trust firewall policies protecting UISP, DNS, and internal services
• Backup tunnels over third-party GPON or local Internet connections as sites came online

Server & Virtualization Platform (Proxmox Cluster)

The customer supplied four identical servers (dual 10G NICs, two 1G interfaces, iDRAC). LTI performed the remote buildout:

• Configured RAID-5 arrays on each server
• Optimized BIOS configuration for performance
• Installed and updated Proxmox v9
• Joined all nodes into a single cluster
• Deployed Proxmox Backup Server with automated backup policies

Locally Hosted Services

Services deployed on the Proxmox cluster included:

• UISP server
• cnMaestro server
• Speedtest.net local server (Ookla registered)
• ISP-optimized recursive DNS with aggressive caching
• MikroTik The Dude for unified network visualization
• Zabbix monitoring for BGP, OSPF, traffic flows, and server health
  • Email alerts for site outages
  • Triggers when GRE tunnels are used (primary transit down)

Server networking was built behind redundant CRS326 switches in a ring topology, delivering 10 Gbps connectivity to servers and internal private subnets, with separate management switching for remote administration.

POP Cutovers and Edge Modernization

Across ~20 POP sites, LTI executed a phased cutover:

• Removed Ubiquiti EdgeRouter Infinity platforms where possible
• Converted cloud tunnels to GRE and integrated into CCR2116 for management/remote access
• Converted site configurations to CCR2116 or CCR2004 based on site size
• Configured BGP on all routers
• Implemented firewall rules to prevent customer access to private infrastructure
• Locked down management while permitting required operational services
• Deployed DHCP changes to push new recursive DNS servers
• Built dual VLANs back to dual DC routers for redundancy
• Configured OSPF correctly for failover
• Onboarded devices into Zabbix and The Dude for monitoring

Results included markedly improved DNS performance, with more than 86% of queries served from local cache. Router backups and monitoring were integrated into LTI’s centralized platform.

Network Redundancy and Resilience

Each POP location was engineered with:

• Two VLANs, each terminating to a separate core path
• Automatic failover between core routers
• Backup tunneled paths over local Internet or GPON circuits

This design preserves public IP reachability during fiber cuts or Layer-2 provider outages.

Training and Knowledge Transfer

LTI provided hands-on training covering:

• DHCP server visibility and management
• MikroTik The Dude client setup and use
• Secure VPN access into the network
• Zabbix dashboards, alerts, and performance metrics

A complete network map was delivered to support ongoing operations and troubleshooting.

Results Delivered

• Centralized Internet transit and routing
• Elimination of recurring cloud data-transfer costs for monitoring and access
• Faster DNS response times with greater than 86% cache efficiency
• Fully redundant routing, firewalling, and POP connectivity
• Simplified operations with full local control of critical systems

Next Phase Objectives

• Deploy IPv6 across all client networks
  • Already deployed; expanding usage across the network
• Subnet existing /24 allocations into smaller blocks to optimize IP utilization
  • Return unused portions of rented /19 to produce measurable cost savings
• Roll cnMaestro to self-hosting to reduce cloud spend

About Link Technologies, Inc.

Link Technologies, Inc. has provided network engineering and infrastructure services for nearly 20 years.

We specialize in high-availability architectures for:

• WISPs
• Fiber operators
• Enterprises
• MSPs
• Financial institutions
• Healthcare and hospitality networks

Our work centers on MikroTik-based platforms, carrier-grade routing, zero-trust security, monitoring, backup systems, and ISP-scale design.

We also operate a private data center in House Springs, Missouri, and provide hardware distribution, training, and managed network services.