• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 532
  • Last Modified:

Two Linksys Routers - One way VLAN


I have an installation where I have 3 Lab workstations running just one application connected to the internet for updates thru a Linksys router. The customer would like his office desktop to share this internet access, but I do not want the office machine to have access to the 3 lab machines. I've disinfected the office machine before and want to make sure that the lab workstations are protected from contamination.
Considering the diagram below (both routers are Linksys 4 port):

Internet--Router1--Lab (192.168.1.0/24) Existing
             |
          Router2--Office (192.168.2.0/24) Proposed

a)Will this isolate the lab LAN from the office desktop, or does the internet connection have to start at Router2 ? Or must I have a 3rd router like holger12345's solution at:
http://www.experts-exchange.com/Networking/Q_21140560.html
b)Should I also disable some services on the office machine, like Computer Browser and TCP/IP NetBIOS Helper?

Thanks in advance
jorsing
0
jorsing
Asked:
jorsing
  • 3
  • 2
  • 2
  • +1
3 Solutions
 
pseudocyberCommented:
I don't think that setup will work.  In order to provide both with Internet access, the edge router (the one on the Internet) would have to know where the other network is, with a static route.  Enabling a static route would enable the computers on network 1 to reach network 2.

You really need a "real" router, like a low end Cisco, to do this properly.
0
 
jorsingAuthor Commented:
Yes I would have to enable the static route, like I've do when adding a wireless AP to an existing wired network

 But do I care if if the Lab network1 can see the Office network2?  I think I'm more concerned with making sure the  office network can't see the Lab, so that any parasite on the office network is contained and not "pushed" to the lab network by some trojan script.
 Or do I need to be worried about the Lab network1 pulling a bug from office network2?


0
 
mtpcbypcCommented:
I would like to suggest an easy way to make both secure.  3 routers.  Its an extra piece of hardware but if something gets reset you won't have unknown access between lans.  First thing you want to configure each device separate from the other devices so that they don't conflict.  router 1)connect the WAN to the Internet cable.  Configure it from the Lan port Set it up to use a Lan address of 192.168.10.1 instead of 192.168.1.1 so that it is different from each of the others.  Enable DHCP on it but set it up to only 3 addresses. And then configure them to be static DHCP for the mac address of the unit that you are using to configure it and each of the other 2 routers.  Block all other IPs so that it can't be plugged into by anything else to get unrestricted access.  Then configure each of the other routers SEPARATELY due to the fact that they come from the factory with the same settings.  router 2 connect the WAN Port to Lan Port in Router 1,  This will assing an address to the WAN of router two and give it internet access.  Then configure the LAN port of Router 2 to 192.168.20.1 so that it is different from your primary router.  Configure it to work as needed and connect the Office LAN to it's LAN ports.  Finally configure Router #3 using 192.168.30.1 as it's LAN address different from each of the other segments.  Plug its WAN port into Router #1 LAN ports just like you did with the WAN from Router #2.  Set it up as needed for access for the Lab and plug the Lab into Router #3's LAN ports.  You will notice that both the office and the Lab can Ping 192.168.10.1 but neither can ping each other.  If you had used the configuration you had proposed the Office would have complete access to the Lab.


                                                                                                                 l---Router #2 -------- Office Network
                                                                                                                 l
Internet ---    Router #1-Static DHCP with MAC filter and blocked all other IP's-l
                                                                                                                 l
                                                                                                                 l---Router #3 -------- Lab network
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
holger12345Commented:
Hi Jorsing,

just to understand you right (please deny if i'm wrong):
1 - Office and Lab belongs to the same customer - so there is no need to secure data from each other
2 - The Lab is the one who may not be accessed from the office
3 - The office may be accessed from the Lab

If all 3 are true, you may go with a slightly different setup than yours:

             Router1-------Lab (192.168.1.0/24) Existing
             (wan-port)
                  |
Internet--Router2--Office (192.168.2.0/24) Proposed

As your WAN-port of router1 has to be plugged into the LAN-side (switch) of router2 you may gain access to the office, but not vice versa - you do NAT at the R1
In case you may not access the office, the solution with a third router is possible - the both LANs are unaccessible to each other.

Even though this scenario is possible, pseudocyber is right when he points out to buy a "real" router - that means a router with different LAN ports and VLAN capabilities. Anyway if you  want to stay with your equipment you may be lucky, if your routers WAN-port provides ethernet capability (means, that you can setup plug a standard LAN into it).

cheers and good luck Holger
0
 
holger12345Commented:
mtpcbypc ... 1 minute earlier ;-)
the solution is the one with the third router like you've already seen at my old thread ...
0
 
mtpcbypcCommented:
ARGH too slow drawing pictures.  thanks
0
 
jorsingAuthor Commented:
Thanks to everyone for answering. I'm splitting points.
100 to pseudocyber for the best practices solution
200 to mtpcbypc  for well laid out instructions
200  to holger12345 for the solution I referenced in my question and mtpcbypc laid out step by step

Accepted answer goes to mtpcbypc, because the next person seaching will get pointed to the most information.
BTW, Take a look at sveasoft open source firmware for the Linksys WRT54G, which does allow vlans by port, QoS and more.
http://www.sveasoft.com
0
 
holger12345Commented:
Thx for the points and that nice link ;-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now