• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6259
  • Last Modified:

Routing between two networks

We have a network on 192.168.x.0/24 and we have recently set up a separate standalone network.

Whilst the standalone network was being set up it was permissible and indeed necessary to connect to the web and our other network and we connected a switch on each network to one another.  In order to get routing between the networks we manually configured all machines on what would become the standalone network to use 192.168.x... and this worked fine.

We have now completed the set up, the network is in use and it is no longer permissible to connect the standalone network beyond itself. It must remain completely isolated.  We're now using DHCP 192.168.y.0/24 for this network.

If in the future, it is necessary (although I'd be breaking the rules!) to get a connection to our main network I would again connect a switch on each network.  But I would have no routing between them - is this a correct assumption?

1) How would I go about setting up a temporary route that would allow the standalone network to reach outside itself, but not for the outside to reach in?

2) How would I demonstrate that no-one on our main network could detect the presence of the standalone network whilst this routing was in place?

Both networks are domains using W2K3 as DC's.

I'm sure that this is an easy question for somebody, but I think it warrants top points!
  • 3
  • 3
  • 2
  • +2
8 Solutions
Hi jahboite,
If I were doing this, I would use a small firewall (appliance or PC with OS and firewall software) to router between the two networks, but shield the special network from the main network.

An appliance that I have done this with is:

But I am currently designing a very similar network setup and expect to use an ordinary PC and this free product:

Hope this helps,
Smoothwall all the way.
jahboiteAuthor Commented:
Thank you Alan and jaysonfranklin,

This is a good idea I'd not considered and some kind of hardware firewall could I'm sure be configured to be completely undetectable from one side of it whilst letting certain traffic be initiated from the other.

The thing is, I cannot put a box between the two networks because on a day-to-day basis, they'll be physically separate.  Only on very rare occasions might they need to be connected, but as I said, the rules disallow this.  Therefore I cannot be seen to be putting something in place that makes it secure.

I'm looking for a temporary solution that would not draw attention to itself, but that I could also demonstrate, if necessary, is 100% secure.

Am I perhaps asking for too much? (I usually am!)
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

connect the networks by the switch, then do the following on the pc you want to have access to the other network:

route add 192.168.y.0 mask 192.168.x.z

where z is the last number of ip address of the local network interface wich is connected to the 192.168.x.0/24 network.

Unless the computers on the 192.168.y.0 network are configured with similar routes, they will not know how to reach the 192.168.x.0 network.

You should not leave this in place though and using a router with an firewall like stated above is a better solution.
you can delete the route by either rebooting or typing:

route del 192.168.y.0 mask 192.168.x.z

To prove the other network does not see your route, run ping on a machine in the other network to the ip address of the machine you made the route on. It should tell you: network unreachable.
Well, first of all, it seems that when merging two networks, it is because attention has been drawn to the point where it has become a need to have the networks linked. You're last comment almost sounds shady. Why wouldn't you want anybody to know you connected these two networks? Also, I'll go ahead and tell you, if you do this, whoever is managing the network will more than likely notice the change. I know I would. If you want to connect two remote offices together, use a vpn. it's probably the most secure, and a lot less expensive than leased lines. You would use access-lists to permit exactly what traffic you want going in and out of each network. Let me know if this helps...

and to add something else...most of the time when you want to merge networks, it's because one network needs to use network resources (servers, etc.) on a different network. Are you trying to access the servers on another network? or do you just need access to a specific host on another network? If so, a vpn tunnel to the host would probably be less of a hassle.

There's some good freeware vpn that's pretty good. I use it on my home pc. Get it here....logmein.com
you can also put a second network card in you pc and put in a cable of the other network when you need to access it. Either rely on dhcp for getting an ip address or configure the network card(s) with an static ip wich is outside the ip range. You could then disconnect the default network card while accessing the other network. Both networks won't be able to see each other 100 % guaranteed (because you unplugged it). It would however allow things like virusses present on your pc at the time you switch networks to infect the other network.

You can also do this with 1 network card, but if you do not use dhcp on one of the networks you would have to reconfigure the interface every time.

Disclamer: none of my posts should be used to circumvent security policy's on networks you are not the admin of. note that tinkering with a secured network is almost always noticed by the admins responsible for securing them.
If you need only temporary solution then you can use Windows RRAS service.

With this only second network can reach the main network and not vice versa.

This reason that main network cannot reach the second network is that you will be using NAT for second network.

Here is how you configure it.

Take any machine with Windows 2003 install on it. It should also have two NIC cards as well.

First NIC would be connected to second network and other to main network.

Now, configure RRAS as NAT server.(Same option with which Internet Access is given)
This only difference is that you are giving access to main network and not internet.
Here is the link to configure it.

Let me know if you have any confusion.

jahboiteAuthor Commented:
dlangr - this looks like just the ticket and I've been playing around with this command at home with the aim of simulating two nets:

I've got a router with a pc and a laptop on wired lan. The router is and PC
When all three boxes are on the same subnet I can ping each machine from each other.

I've then configured the laptop to and added a route to
I can't then ping across the subnets from any of the three machines.
I've added routes to on the other two boxes and I can now ping from laptop to PC and the other way round, but the router still won't ping across the subnets. (doesn't matter because I'm pretending it's just a switch, but I cannot explain this - can you?)
And I can browse by IP address from laptop to PC and vice versa.  Good.

Now then I've proved to my satisfaction that having only a route on the PC to the Laptop means I can't get an echo back from the laptop which is nice and safe. Good.
But at the same time neither machine will talk to each other because only one of them knows a route to the other!

So I have to ask - is this expected and if so, what bloody use is that? (I'm giggling to myself because I think I should have seen this coming, no?)

But I would be right in saying, would I not, that by adding a route from a specific machine to another specific machine in both directions will allow them to talk to each other?

Would this traffic manage to pass between the two switches in question?

I really have a lot to learn about networking!

Jaysonfranklin - Without going in to any detail, there's nothing shady about this at all and I'm not trying to cover any tracks. There is a very real restriction on connecting this network beyond itself and I must be absolutely certain that I wouldn't expose it to any risk of intrusion which is why the main network must not know of the connection - for instance the standalone domain name showing up in Microsoft Windows Network!!!
A firewall would have to be documented and I can't document something that isn't supposed to be needed!

Just to note that I am the admin for the networks - god help them!

prashax - thanks for that, I could use the RRAS and I'll look into the possibility.  I do have 2 NIC's but they're teamed so this may be a bit of a farce, but investigate it I will!
Keep in mind that any connection between the networks that doesn't have some type of firewall in place could not be demostratred as secure.  Simply connecting two networks together with a jumper will effectively supernet your networks.  By defining an alternate IP address, or simply changing the IP address, on a machine in one network I will gain access to the machines in the other network.

To keep it secure one, or both, networks must consider the other network hostile and put protection in place.  The unltimate firewall is a disconnected cable, hence the no-connect rule.

Just something to think about...
jahboiteAuthor Commented:
That's true Alan, I hadn't thought of the IP change from that angle.
It's a good job we've based our security on total isolation!
I had wanted to demonstrate a readiness to cope with the possible requirement of connecting the networks - even if only briefly (it's not like our main network is insecure because it most certainly is not), but having read the collective input here I'm coming to the conclusion that I should refuse the temptation and, should it be necessary, find another way to deal with any issue that could be solved by a connection.

We have one issue right now and it's a good example of why I might have been tempted:
We have an Enterprise AV product installed (on both networks actually) and I've already demonstrated that we can perform application, engine and signature updates using the main network and then transfer the same packages to the standalone network using a removable device.
That's all lovely except that we've discovered that the AV calls a webserver to check it's license periodically and after a number of days of being unable to do so, it reports it's license as expired and will not allow any signature updates! Can you effing believe it?

Anyway I'm going to split the points 4 ways.  Thank you all for your wise words.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 3
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now