Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Securing network from a subnet?

Posted on 2008-06-14
Medium Priority
Last Modified: 2008-06-24
I have a home network set up as  The router is configured as a DHCP server with IP address= and subnet mask  So far so good, been running fine for years.

I have placed a router on the network for guests to use (I'll call this the subrouter).  The main router assigns it an IP address, and the subrouter is configured as a DHCP server to assign IP address  This is also working fine.

What I want to achieve is for the guests, who receive addresses from the subrouter to be able to
(1) access the internet via the main router
(2) access other devices (such as a printer in the guest quarters)
(3) NOT access other devices on the main network (such as my desktop computer and file server) -- only internet access via the main router, which is

IN other words I want my guests to have their own little network which is contained in my network, can access the internet through it, but can't access my other network resources.

How do I achieve this?  I suspect is has something to do with subnet masks settings, but I cannot seem to construct my search terms in such a way to readily find the answer.

Many thanks in advance!
Question by:bnchester
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1

Assisted Solution

kanlue earned 75 total points
ID: 21786672
you may try it this way:
1) use the main router for guests;
2) move your network under sub router,;
3) at the sub router, enable firewall settings to only allow outgoing access, so that your guests can not get into your network under sub router;

hope it helps.

Author Comment

ID: 21786705
Please explain the notation you used -- -- what is the /24?

How does restricting the firewall to outgoing access only prevent access to the rest of the network?  doesn't data need to flow both ways, such as when a web page gets delivered to the browser?  Not sure I understand that setting.

Expert Comment

ID: 21786715
sorry about the confusion.
/24 means the subnet mask is

normally some routers like linksys, belkin, netgear, etc, come with a default fireall setup, which only allow users behind it to access outside network resources freely, and won't allow outside to access any network behind it. i should not say 'block' in my previous reply. just login to the sub router to confirm/enable basic firewall/network protection features.

hope it helps.
Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.


Author Comment

ID: 21786976
OK, well, I have a brand new Netgear router, but it does not seem to have any available firewall settings as does the main router (which has a menu for "rules" under "security".  And I when I connect via the subnetwork I can access all the network resources.  Any other ideas, other than buying a new router?

Expert Comment

ID: 21786992
if I'm reading bnchester correctly, I think this is what he/she meant.

main router (the router directly connected to your 192.168.184/24 network)  
   assumption is the WAN port on the Main router is connected to a switch that's local to your Internet Gateway and assuming
   "since it's a home type environment"  you're using a Linksys  type router that also provides firewall services.
The main router should have the firewall enabled on the WAN port

Now, connect the (as you described it) sub-router's WAN port to to a switch that's local to your Internet gateway (similar to the way your main router is connected.)

if your main router's firewall is enabled on its WAN port, no sub-router traffic should be able to traverse the main router's network.

Internet Gateway  ----->  Firewalled WAN port on Main router - > network
                              ----->  Firewalled WAN port on subrouter -> network
The problem with this approach is if you only have one public IP, and that IP is assigned to your internal router, you'll have a problem.  You will need to add an additional public IP to your network...  
That said, if your configuration is inline with many mainstream home configs, your ISP provided router will host your public IP, and assign private IP's to your internal network.  
In this case, both the MAIN and SUB router's WAN ports will obtain a private IP from your ISP's router.

I suppose you could also do the following (not my preference BTW)

plug WAN port from MAIN router into LAN port of subrouter.
plug WAN port from sub-router into Internet gateway.
this scenario would force all of your MAIN network to traverse through the sub-router before it reached the Internet.
HOWEVER, if you only have 1 public IP available, and that IP is assigned to your internal router, the latter suggestion may be your best option.

Author Comment

ID: 21787014
I'm sort of understanding this.  fhmc is correct that I have one IP from my ISP (and I'm a "he" by the way).  Is there not some way to "segment" my LAN, so for example forget about the 192.168.0.x stuff but have one group of resources be and another, and they cannot see each other's resources?  

fhmc, do you agree with kanlue that if my subrouter had accessible firewall rules his solution would work?  I could return the one I just bought for one with that ability.

Author Comment

ID: 21787020
This is kind of what I was thinking, but I can't find out how to implement it...

Definition of: LAN segment

A section of a local area network that is used by a particular workgroup or department and separated from the rest of the LAN by a bridge, router or switch. Networks are divided into multiple segments for security and to improve traffic flow by filtering out packets that are not destined for the segment. See subnet mask.

Author Comment

ID: 21787028
Just found this on experts-exchange:  Sounds like what I want to do,  Think it will work?  fhmc, this still creates the situation you described where all my traffic has to go through two layers of routing, right?

Accepted Solution

fhmc earned 225 total points
ID: 21787116
my bad...  My intened reference was to kanlue...

is your public IP currently assigned to your main router?

The link you posted seems to suggest a scenario similar to the one I described.  Yes, it should work for you.

that said, if your public IP IS assigned to the WAN port on your internal router, AND if you don't want to buy new equipment or pay for an additional IP, this sort of solution is likely your best bet.

I think it's worth your while to determine if your public IP must be assigned to your internal equipment though.  If your ISP provided equipment can host your public IP and then provide private IP's internally to multiple hosts, my preference would be to persue that path.

back to the basics...  If your public IP must be assigned to an internal host on your network (e.g. linksys, netgear, etc.)  the approach I would most likely pursue is as follows:

1.  If I recall correctly, your MAIN router provides firewall services, but your new router doesn't.
2.  directly connect the WAN port from the router that DOESN't offer firewall services to your ISP (call that router, publicr1)
            your guests connecting to the "guest" router will not be afforded the degree of protection your MAIN router users will.
3.  connect your MAIN router (call that privater1), that DOES provide WAN side firewall services to the LAN port on your public1 router.
4.   the WAN port on your MAIN router will have an IP addy that's local to the sub-router's lan
5.  if the MAIN router/firewall is configured to block inbound traffic, the hosts on the sub-router's network shouldn't be able to communicate w/ any hosts on the MAIN router's subnet...


ISP equipment ---->  (public WAN port IP) guest router/no firewall-> (private IP 1) guest hosts
                                                                                                         |-> (private IP 2) Main router/firewall - > guests

1.  your private (main) network traffic will have to traverse the "guest" router in order to access the Internet.
      In your case, this isn't likely worthy of concern.
           if you're paranoid about traffic security, this is bad.
2.   the scenario I described should not permit any direct access to your MAIN network
LVL 23

Assisted Solution

Mysidia earned 75 total points
ID: 21790345
Don't plug the WAN port of your main router into the LAN port of your subrouter.

This defeats the additional security you are trying to add: it  makes it possible for a guest
to sniff your traffic  via ARP injection.

You could use three routers A, B, C.

A with WAN -> ISP  Cable/DSL modem.
B,C with WAN ->  router A's LAN ports

B == your home network
C ==  guest network.

To use two routers...

Router A's WAN port -->   Cable/DSL modem

Router B's WAN port --> Router A's LAN port

ROUTER A  subnet
    ROUTER B subnet         /24

Set a static route on Router B  pointing the second half of the subnet
to some ip that doesn't exist on the outer LAN

And then, change the outer LAN's ip range so that the workstations have
IPs  that the inner router   has a static route to prevent it from properly routing.


Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question