Solved

Securing network from a subnet?

Posted on 2008-06-14
10
513 Views
Last Modified: 2008-06-24
I have a home network set up as 192.168.184.xxx.  The router is configured as a DHCP server with IP address=192.168.184.1 and subnet mask 255.255.255.0.  So far so good, been running fine for years.

I have placed a router on the network for guests to use (I'll call this the subrouter).  The main router assigns it an IP address, and the subrouter is configured as a DHCP server to assign IP address 192.168.0.xxx.  This is also working fine.

What I want to achieve is for the guests, who receive 192.168.0.xxx addresses from the subrouter to be able to
(1) access the internet via the main router
(2) access other 192.168.0.xxx devices (such as a printer in the guest quarters)
(3) NOT access other 192.168.184.xxx devices on the main network (such as my desktop computer and file server) -- only internet access via the main router, which is 192.168.184.1.

IN other words I want my guests to have their own little network which is contained in my network, can access the internet through it, but can't access my other network resources.

How do I achieve this?  I suspect is has something to do with subnet masks settings, but I cannot seem to construct my search terms in such a way to readily find the answer.

Many thanks in advance!
0
Comment
Question by:bnchester
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 7

Assisted Solution

by:kanlue
kanlue earned 25 total points
ID: 21786672
you may try it this way:
---------------
1) use the main router 192.168.184.0/24 for guests;
2) move your network under sub router, 192.168.0.0/24;
3) at the sub router, enable firewall settings to only allow outgoing access, so that your guests can not get into your network under sub router;
---------------

hope it helps.
0
 

Author Comment

by:bnchester
ID: 21786705
Please explain the notation you used -- 192.168.184.0/24 -- what is the /24?

How does restricting the firewall to outgoing access only prevent access to the rest of the network?  doesn't data need to flow both ways, such as when a web page gets delivered to the browser?  Not sure I understand that setting.
0
 
LVL 7

Expert Comment

by:kanlue
ID: 21786715
sorry about the confusion.
/24 means the subnet mask is 255.255.255.0

normally some routers like linksys, belkin, netgear, etc, come with a default fireall setup, which only allow users behind it to access outside network resources freely, and won't allow outside to access any network behind it. i should not say 'block' in my previous reply. just login to the sub router to confirm/enable basic firewall/network protection features.

hope it helps.
0
 

Author Comment

by:bnchester
ID: 21786976
OK, well, I have a brand new Netgear router, but it does not seem to have any available firewall settings as does the main router (which has a menu for "rules" under "security".  And I when I connect via the subnetwork I can access all the network resources.  Any other ideas, other than buying a new router?
0
 
LVL 7

Expert Comment

by:fhmc
ID: 21786992
if I'm reading bnchester correctly, I think this is what he/she meant.

main router (the router directly connected to your 192.168.184/24 network)  
   assumption is the WAN port on the Main router is connected to a switch that's local to your Internet Gateway and assuming
   "since it's a home type environment"  you're using a Linksys  type router that also provides firewall services.
The main router should have the firewall enabled on the WAN port

Now, connect the (as you described it) sub-router's WAN port to to a switch that's local to your Internet gateway (similar to the way your main router is connected.)

if your main router's firewall is enabled on its WAN port, no sub-router traffic should be able to traverse the main router's network.

e.g.
Internet Gateway  ----->  Firewalled WAN port on Main router - > 192.168.184.0/24 network
                                |
                                |
                              ----->  Firewalled WAN port on subrouter -> 192.168.0.0/24 network
The problem with this approach is if you only have one public IP, and that IP is assigned to your internal router, you'll have a problem.  You will need to add an additional public IP to your network...  
That said, if your configuration is inline with many mainstream home configs, your ISP provided router will host your public IP, and assign private IP's to your internal network.  
In this case, both the MAIN and SUB router's WAN ports will obtain a private IP from your ISP's router.

I suppose you could also do the following (not my preference BTW)

plug WAN port from MAIN router into LAN port of subrouter.
plug WAN port from sub-router into Internet gateway.
this scenario would force all of your MAIN network to traverse through the sub-router before it reached the Internet.
HOWEVER, if you only have 1 public IP available, and that IP is assigned to your internal router, the latter suggestion may be your best option.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 

Author Comment

by:bnchester
ID: 21787014
I'm sort of understanding this.  fhmc is correct that I have one IP from my ISP (and I'm a "he" by the way).  Is there not some way to "segment" my LAN, so for example forget about the 192.168.0.x stuff but have one group of resources be 192.168.184.2-100 and another 192.168.184.101-200, and they cannot see each other's resources?  

fhmc, do you agree with kanlue that if my subrouter had accessible firewall rules his solution would work?  I could return the one I just bought for one with that ability.
0
 

Author Comment

by:bnchester
ID: 21787020
This is kind of what I was thinking, but I can't find out how to implement it...

Definition of: LAN segment

A section of a local area network that is used by a particular workgroup or department and separated from the rest of the LAN by a bridge, router or switch. Networks are divided into multiple segments for security and to improve traffic flow by filtering out packets that are not destined for the segment. See subnet mask.
0
 

Author Comment

by:bnchester
ID: 21787028
Just found this on experts-exchange:  http://www.experts-exchange.com/Networking/Misc/Q_20896818.html.  Sounds like what I want to do,  Think it will work?  fhmc, this still creates the situation you described where all my traffic has to go through two layers of routing, right?
0
 
LVL 7

Accepted Solution

by:
fhmc earned 75 total points
ID: 21787116
my bad...  My intened reference was to kanlue...

is your public IP currently assigned to your main router?

The link you posted seems to suggest a scenario similar to the one I described.  Yes, it should work for you.

that said, if your public IP IS assigned to the WAN port on your internal router, AND if you don't want to buy new equipment or pay for an additional IP, this sort of solution is likely your best bet.

I think it's worth your while to determine if your public IP must be assigned to your internal equipment though.  If your ISP provided equipment can host your public IP and then provide private IP's internally to multiple hosts, my preference would be to persue that path.

back to the basics...  If your public IP must be assigned to an internal host on your network (e.g. linksys, netgear, etc.)  the approach I would most likely pursue is as follows:


1.  If I recall correctly, your MAIN router provides firewall services, but your new router doesn't.
2.  directly connect the WAN port from the router that DOESN't offer firewall services to your ISP (call that router, publicr1)
            your guests connecting to the "guest" router will not be afforded the degree of protection your MAIN router users will.
3.  connect your MAIN router (call that privater1), that DOES provide WAN side firewall services to the LAN port on your public1 router.
4.   the WAN port on your MAIN router will have an IP addy that's local to the sub-router's lan
5.  if the MAIN router/firewall is configured to block inbound traffic, the hosts on the sub-router's network shouldn't be able to communicate w/ any hosts on the MAIN router's subnet...

e.g.

ISP equipment ---->  (public WAN port IP) guest router/no firewall-> (private IP 1) guest hosts
                                                                                                         |
                                                                                                         |-> (private IP 2) Main router/firewall - > guests


concerns/considerations:
1.  your private (main) network traffic will have to traverse the "guest" router in order to access the Internet.
      In your case, this isn't likely worthy of concern.
           if you're paranoid about traffic security, this is bad.
2.   the scenario I described should not permit any direct access to your MAIN network
                                                                     
0
 
LVL 23

Assisted Solution

by:Mysidia
Mysidia earned 25 total points
ID: 21790345
Don't plug the WAN port of your main router into the LAN port of your subrouter.

This defeats the additional security you are trying to add: it  makes it possible for a guest
to sniff your traffic  via ARP injection.

You could use three routers A, B, C.

A with WAN -> ISP  Cable/DSL modem.
B,C with WAN ->  router A's LAN ports

B == your home network
C ==  guest network.

To use two routers...

Router A's WAN port -->   Cable/DSL modem

Router B's WAN port --> Router A's LAN port


ROUTER A  subnet    192.168.184.1    255.255.255.0
    ROUTER B subnet   192.168.0.1         /24

Set a static route on Router B  pointing the second half of the subnet
to some ip that doesn't exist on the outer LAN

And then, change the outer LAN's ip range so that the workstations have
IPs  that the inner router   has a static route to prevent it from properly routing.









0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now