• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 526
  • Last Modified:

Two Linksys Routers - One way VLAN


I have an installation where I have 3 Lab workstations running just one application connected to the internet for updates thru a Linksys router. The customer would like his office desktop to share this internet access, but I do not want the office machine to have access to the 3 lab machines. I've disinfected the office machine before and want to make sure that the lab workstations are protected from contamination.
Considering the diagram below (both routers are Linksys 4 port):

Internet--Router1--Lab (192.168.1.0/24) Existing
             |
          Router2--Office (192.168.2.0/24) Proposed

a)Will this isolate the lab LAN from the office desktop, or does the internet connection have to start at Router2 ? Or must I have a 3rd router like holger12345's solution at:
http://www.experts-exchange.com/Networking/Q_21140560.html
b)Should I also disable some services on the office machine, like Computer Browser and TCP/IP NetBIOS Helper?

Thanks in advance
jorsing
0
jorsing
Asked:
jorsing
  • 3
  • 2
  • 2
  • +1
3 Solutions
 
pseudocyberCommented:
I don't think that setup will work.  In order to provide both with Internet access, the edge router (the one on the Internet) would have to know where the other network is, with a static route.  Enabling a static route would enable the computers on network 1 to reach network 2.

You really need a "real" router, like a low end Cisco, to do this properly.
0
 
jorsingAuthor Commented:
Yes I would have to enable the static route, like I've do when adding a wireless AP to an existing wired network

 But do I care if if the Lab network1 can see the Office network2?  I think I'm more concerned with making sure the  office network can't see the Lab, so that any parasite on the office network is contained and not "pushed" to the lab network by some trojan script.
 Or do I need to be worried about the Lab network1 pulling a bug from office network2?


0
 
mtpcbypcCommented:
I would like to suggest an easy way to make both secure.  3 routers.  Its an extra piece of hardware but if something gets reset you won't have unknown access between lans.  First thing you want to configure each device separate from the other devices so that they don't conflict.  router 1)connect the WAN to the Internet cable.  Configure it from the Lan port Set it up to use a Lan address of 192.168.10.1 instead of 192.168.1.1 so that it is different from each of the others.  Enable DHCP on it but set it up to only 3 addresses. And then configure them to be static DHCP for the mac address of the unit that you are using to configure it and each of the other 2 routers.  Block all other IPs so that it can't be plugged into by anything else to get unrestricted access.  Then configure each of the other routers SEPARATELY due to the fact that they come from the factory with the same settings.  router 2 connect the WAN Port to Lan Port in Router 1,  This will assing an address to the WAN of router two and give it internet access.  Then configure the LAN port of Router 2 to 192.168.20.1 so that it is different from your primary router.  Configure it to work as needed and connect the Office LAN to it's LAN ports.  Finally configure Router #3 using 192.168.30.1 as it's LAN address different from each of the other segments.  Plug its WAN port into Router #1 LAN ports just like you did with the WAN from Router #2.  Set it up as needed for access for the Lab and plug the Lab into Router #3's LAN ports.  You will notice that both the office and the Lab can Ping 192.168.10.1 but neither can ping each other.  If you had used the configuration you had proposed the Office would have complete access to the Lab.


                                                                                                                 l---Router #2 -------- Office Network
                                                                                                                 l
Internet ---    Router #1-Static DHCP with MAC filter and blocked all other IP's-l
                                                                                                                 l
                                                                                                                 l---Router #3 -------- Lab network
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
holger12345Commented:
Hi Jorsing,

just to understand you right (please deny if i'm wrong):
1 - Office and Lab belongs to the same customer - so there is no need to secure data from each other
2 - The Lab is the one who may not be accessed from the office
3 - The office may be accessed from the Lab

If all 3 are true, you may go with a slightly different setup than yours:

             Router1-------Lab (192.168.1.0/24) Existing
             (wan-port)
                  |
Internet--Router2--Office (192.168.2.0/24) Proposed

As your WAN-port of router1 has to be plugged into the LAN-side (switch) of router2 you may gain access to the office, but not vice versa - you do NAT at the R1
In case you may not access the office, the solution with a third router is possible - the both LANs are unaccessible to each other.

Even though this scenario is possible, pseudocyber is right when he points out to buy a "real" router - that means a router with different LAN ports and VLAN capabilities. Anyway if you  want to stay with your equipment you may be lucky, if your routers WAN-port provides ethernet capability (means, that you can setup plug a standard LAN into it).

cheers and good luck Holger
0
 
holger12345Commented:
mtpcbypc ... 1 minute earlier ;-)
the solution is the one with the third router like you've already seen at my old thread ...
0
 
mtpcbypcCommented:
ARGH too slow drawing pictures.  thanks
0
 
jorsingAuthor Commented:
Thanks to everyone for answering. I'm splitting points.
100 to pseudocyber for the best practices solution
200 to mtpcbypc  for well laid out instructions
200  to holger12345 for the solution I referenced in my question and mtpcbypc laid out step by step

Accepted answer goes to mtpcbypc, because the next person seaching will get pointed to the most information.
BTW, Take a look at sveasoft open source firmware for the Linksys WRT54G, which does allow vlans by port, QoS and more.
http://www.sveasoft.com
0
 
holger12345Commented:
Thx for the points and that nice link ;-)
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now