1 IP, 1 Router(Linksys 4-port): How to split network into two subnets that cannot see each other.
I've been in a quandry to complete this networking task, but have gotten confused on how to create a subnet on an existing network. Resources available include a single IP 4-port router servng off of a T1 modem. Beind the router, one port goes off to one department, while another router port goes off to another department; each has their own hub systems serving their machines.
We are currently using local IP 192.168.1.1 (device IP) and 255.255.255.0 (subnet mask). Neither department is supposed to see or access each other. Unfortunately, both are currently being blinded from each other only by means of protocol settings, but, periodically the protocols are reset and each department can see each other until the protocols are reset. I need to stop this. First, the protocol method does not create any real security (obviously), and secondly, because these settings prevent either side from using the networks workgroup and sharing features adequitely.
First method: I have thought of using a hub to split the T1 feed then run two routers off the hub, each with their own global IP (I'd get a second IP from our ISP), then each department could keep their current local IP configuration without my needing to change anything.
Second method: I have also thought of trying to set up a subnet, but I can't quite figure out how to resolve the breakdown of how to reconfigure the subnet masks or how to confirm what local IP sets would be available. The existing router already has a menu for choosing 2, 4, and 6 subnet masks, but then I don't know what IPs would be available. I am also concerned that a subnet would not create the separation of the departments that I need.
Well, that's my quandry. I am looking for input as to the doability of my first method, or some direction for accomplishing the second method. No splitsies on this one. Best response get all the points.
Also, please, I am not a technician, so try not to use too much techspeak. You may give a great answer, but if I cannot decipher your remarks then it does me no good.
Thank you.
We are currently using local IP 192.168.1.1 (device IP) and 255.255.255.0 (subnet mask). Neither department is supposed to see or access each other. Unfortunately, both are currently being blinded from each other only by means of protocol settings, but, periodically the protocols are reset and each department can see each other until the protocols are reset. I need to stop this. First, the protocol method does not create any real security (obviously), and secondly, because these settings prevent either side from using the networks workgroup and sharing features adequitely.
First method: I have thought of using a hub to split the T1 feed then run two routers off the hub, each with their own global IP (I'd get a second IP from our ISP), then each department could keep their current local IP configuration without my needing to change anything.
Second method: I have also thought of trying to set up a subnet, but I can't quite figure out how to resolve the breakdown of how to reconfigure the subnet masks or how to confirm what local IP sets would be available. The existing router already has a menu for choosing 2, 4, and 6 subnet masks, but then I don't know what IPs would be available. I am also concerned that a subnet would not create the separation of the departments that I need.
Well, that's my quandry. I am looking for input as to the doability of my first method, or some direction for accomplishing the second method. No splitsies on this one. Best response get all the points.
Also, please, I am not a technician, so try not to use too much techspeak. You may give a great answer, but if I cannot decipher your remarks then it does me no good.
Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Isn't is possible if you setup your router as 192.168.1.1 - subnet 255.255.0.0 ... NO DHCP.
LAN1 - Hard code all machines to IPs in 192.168.10.x - subnet 255.255.255.0 - Gateway 192.168.1.1
LAN1 - Hard code all machines to IPs in 192.168.20.x - subnet 255.255.255.0 - Gateway 192.168.1.1
All machine should be able to talk to 192.168.1.1 and transfer internet traffic, but should only be able to talk to .10.x or .20.x but not eachother.. (make sense?)
You may have to setup static routes in the linksys to get the traffic to pass from 1.1 to 10.x or 20.x
LAN1 - Hard code all machines to IPs in 192.168.10.x - subnet 255.255.255.0 - Gateway 192.168.1.1
LAN1 - Hard code all machines to IPs in 192.168.20.x - subnet 255.255.255.0 - Gateway 192.168.1.1
All machine should be able to talk to 192.168.1.1 and transfer internet traffic, but should only be able to talk to .10.x or .20.x but not eachother.. (make sense?)
You may have to setup static routes in the linksys to get the traffic to pass from 1.1 to 10.x or 20.x
aindelicato,
Your option will not work. Your default gateway must be on the same subnet as your interface. The router may see the PC as being on the same local network, but the PC won't know how to get to the gateway.
>LAN1 - Hard code all machines to IPs in 192.168.10.x - subnet 255.255.255.0 - Gateway 192.168.1.1
^^ ^^^ ^^
Your option will not work. Your default gateway must be on the same subnet as your interface. The router may see the PC as being on the same local network, but the PC won't know how to get to the gateway.
>LAN1 - Hard code all machines to IPs in 192.168.10.x - subnet 255.255.255.0 - Gateway 192.168.1.1
^^ ^^^ ^^
Ummm.. tested... and it works.
Well, I'm certainly never too old to learn a new trick....
It does not appear to work if doing it at the command prompt (on XP) as demonstrated here:
C:\WINDOWS>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : xxx.com
IP Address. . . . . . . . . . . . : 192.168.122.150
Subnet Mask . . . . . . . . . . . : 255.255.255.128
Default Gateway . . . . . . . . . : 192.168.122.132
C:\WINDOWS>route add 0.0.0.0 mask 0.0.0.0 192.168.1.1
The route addition failed: Either the interface index is wrong or the gateway does not lie
on the same network as the interface. Check the IP Address Table for the machine.
However, using the GUI for TCP/IP properties, I can set the gateway to anything outside my local network...
Interesting.
It does not appear to work if doing it at the command prompt (on XP) as demonstrated here:
C:\WINDOWS>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : xxx.com
IP Address. . . . . . . . . . . . : 192.168.122.150
Subnet Mask . . . . . . . . . . . : 255.255.255.128
Default Gateway . . . . . . . . . : 192.168.122.132
C:\WINDOWS>route add 0.0.0.0 mask 0.0.0.0 192.168.1.1
The route addition failed: Either the interface index is wrong or the gateway does not lie
on the same network as the interface. Check the IP Address Table for the machine.
However, using the GUI for TCP/IP properties, I can set the gateway to anything outside my local network...
Interesting.
> Ummm.. tested... and it works.
Then not adequately tested. Although you've given the subnets different subranges, they're not really on different networks. A sniffer will reveal some of the other subnet's traffic (especially broadcasts, but possibly other stuff as well), and the fact that users can reach the same gateway address means they can actually reach each other's machines as well.
(A hub will not work with a T1. Don't even go there.)
> you cannot do it with the hardware that you have.
I concur. The four ports on the router are switch ports on a single VLAN/subnet, and do not offer the kind of separation needed.
Then not adequately tested. Although you've given the subnets different subranges, they're not really on different networks. A sniffer will reveal some of the other subnet's traffic (especially broadcasts, but possibly other stuff as well), and the fact that users can reach the same gateway address means they can actually reach each other's machines as well.
(A hub will not work with a T1. Don't even go there.)
> you cannot do it with the hardware that you have.
I concur. The four ports on the router are switch ports on a single VLAN/subnet, and do not offer the kind of separation needed.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I simple switch that supports VLAN (from either Cisco or 3com) between the 2 networks and the router would easily solve your problem.
Assign each network a different VLAN and tada! They can't see or hear each other =) No special configurations on each desktop no special router configs....saves LOADS of headache later on when something doesn't work
Assign each network a different VLAN and tada! They can't see or hear each other =) No special configurations on each desktop no special router configs....saves LOADS of headache later on when something doesn't work
aindelicato, sometimes microsoft will allow you to route across subnets incorrectly however according to ip subnet standards you should not be able to communicate with a gateway that is not on the same subnet as the device. ie 192.168.10.1/24 gateway 192.168.1.1
holger12345, isn't that the same thing I suggested?
holger12345, isn't that the same thing I suggested?
ASKER
I am currently investigating/testing some of the responses posted above. I'll be back to respond soon.
I think primeradmin wanted to give us the result of his testings... else all should work fine, no?
Unless I am having a brain-fart this will be hard to do unless you purchase a second router and do something like the following
T1 with WAN public address and LAN private address 192.168.1.1 (255.255.255.0)
Department #1
Router #1 WAN address 192.168.1.2, mask 255.255.255.0, gateway 192.168.1.1
LAN address 192.168.10.1, mask 255.255.255.0
Router #1 LAN devices connect via hub. 192.168.10.x subnet with 192.168.10.1 gateway
Department #2
Router #2 WAN address 192.168.1.3, mask 255.255.255.0, gateway 192.168.1.1
LAN address 192.168.20.1, mask 255.255.255.0
Router #2 LAN devices connect via hub. 192.168.20.x subnet with 192.168.20.1 gateway