Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Securing network from a subnet?

Posted on 2008-06-14
Medium Priority
Last Modified: 2008-06-24
I have a home network set up as 192.168.184.xxx.  The router is configured as a DHCP server with IP address= and subnet mask  So far so good, been running fine for years.

I have placed a router on the network for guests to use (I'll call this the subrouter).  The main router assigns it an IP address, and the subrouter is configured as a DHCP server to assign IP address 192.168.0.xxx.  This is also working fine.

What I want to achieve is for the guests, who receive 192.168.0.xxx addresses from the subrouter to be able to
(1) access the internet via the main router
(2) access other 192.168.0.xxx devices (such as a printer in the guest quarters)
(3) NOT access other 192.168.184.xxx devices on the main network (such as my desktop computer and file server) -- only internet access via the main router, which is

IN other words I want my guests to have their own little network which is contained in my network, can access the internet through it, but can't access my other network resources.

How do I achieve this?  I suspect is has something to do with subnet masks settings, but I cannot seem to construct my search terms in such a way to readily find the answer.

Many thanks in advance!
Question by:bnchester
  • 5
  • 2
  • 2
  • +1

Assisted Solution

kanlue earned 75 total points
ID: 21786672
you may try it this way:
1) use the main router for guests;
2) move your network under sub router,;
3) at the sub router, enable firewall settings to only allow outgoing access, so that your guests can not get into your network under sub router;

hope it helps.

Author Comment

ID: 21786705
Please explain the notation you used -- -- what is the /24?

How does restricting the firewall to outgoing access only prevent access to the rest of the network?  doesn't data need to flow both ways, such as when a web page gets delivered to the browser?  Not sure I understand that setting.

Expert Comment

ID: 21786715
sorry about the confusion.
/24 means the subnet mask is

normally some routers like linksys, belkin, netgear, etc, come with a default fireall setup, which only allow users behind it to access outside network resources freely, and won't allow outside to access any network behind it. i should not say 'block' in my previous reply. just login to the sub router to confirm/enable basic firewall/network protection features.

hope it helps.
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!


Author Comment

ID: 21786976
OK, well, I have a brand new Netgear router, but it does not seem to have any available firewall settings as does the main router (which has a menu for "rules" under "security".  And I when I connect via the subnetwork I can access all the network resources.  Any other ideas, other than buying a new router?

Expert Comment

ID: 21786992
if I'm reading bnchester correctly, I think this is what he/she meant.

main router (the router directly connected to your 192.168.184/24 network)  
   assumption is the WAN port on the Main router is connected to a switch that's local to your Internet Gateway and assuming
   "since it's a home type environment"  you're using a Linksys  type router that also provides firewall services.
The main router should have the firewall enabled on the WAN port

Now, connect the (as you described it) sub-router's WAN port to to a switch that's local to your Internet gateway (similar to the way your main router is connected.)

if your main router's firewall is enabled on its WAN port, no sub-router traffic should be able to traverse the main router's network.

Internet Gateway  ----->  Firewalled WAN port on Main router - > network
                              ----->  Firewalled WAN port on subrouter -> network
The problem with this approach is if you only have one public IP, and that IP is assigned to your internal router, you'll have a problem.  You will need to add an additional public IP to your network...  
That said, if your configuration is inline with many mainstream home configs, your ISP provided router will host your public IP, and assign private IP's to your internal network.  
In this case, both the MAIN and SUB router's WAN ports will obtain a private IP from your ISP's router.

I suppose you could also do the following (not my preference BTW)

plug WAN port from MAIN router into LAN port of subrouter.
plug WAN port from sub-router into Internet gateway.
this scenario would force all of your MAIN network to traverse through the sub-router before it reached the Internet.
HOWEVER, if you only have 1 public IP available, and that IP is assigned to your internal router, the latter suggestion may be your best option.

Author Comment

ID: 21787014
I'm sort of understanding this.  fhmc is correct that I have one IP from my ISP (and I'm a "he" by the way).  Is there not some way to "segment" my LAN, so for example forget about the 192.168.0.x stuff but have one group of resources be and another, and they cannot see each other's resources?  

fhmc, do you agree with kanlue that if my subrouter had accessible firewall rules his solution would work?  I could return the one I just bought for one with that ability.

Author Comment

ID: 21787020
This is kind of what I was thinking, but I can't find out how to implement it...

Definition of: LAN segment

A section of a local area network that is used by a particular workgroup or department and separated from the rest of the LAN by a bridge, router or switch. Networks are divided into multiple segments for security and to improve traffic flow by filtering out packets that are not destined for the segment. See subnet mask.

Author Comment

ID: 21787028
Just found this on experts-exchange:  http://www.experts-exchange.com/Networking/Misc/Q_20896818.html.  Sounds like what I want to do,  Think it will work?  fhmc, this still creates the situation you described where all my traffic has to go through two layers of routing, right?

Accepted Solution

fhmc earned 225 total points
ID: 21787116
my bad...  My intened reference was to kanlue...

is your public IP currently assigned to your main router?

The link you posted seems to suggest a scenario similar to the one I described.  Yes, it should work for you.

that said, if your public IP IS assigned to the WAN port on your internal router, AND if you don't want to buy new equipment or pay for an additional IP, this sort of solution is likely your best bet.

I think it's worth your while to determine if your public IP must be assigned to your internal equipment though.  If your ISP provided equipment can host your public IP and then provide private IP's internally to multiple hosts, my preference would be to persue that path.

back to the basics...  If your public IP must be assigned to an internal host on your network (e.g. linksys, netgear, etc.)  the approach I would most likely pursue is as follows:

1.  If I recall correctly, your MAIN router provides firewall services, but your new router doesn't.
2.  directly connect the WAN port from the router that DOESN't offer firewall services to your ISP (call that router, publicr1)
            your guests connecting to the "guest" router will not be afforded the degree of protection your MAIN router users will.
3.  connect your MAIN router (call that privater1), that DOES provide WAN side firewall services to the LAN port on your public1 router.
4.   the WAN port on your MAIN router will have an IP addy that's local to the sub-router's lan
5.  if the MAIN router/firewall is configured to block inbound traffic, the hosts on the sub-router's network shouldn't be able to communicate w/ any hosts on the MAIN router's subnet...


ISP equipment ---->  (public WAN port IP) guest router/no firewall-> (private IP 1) guest hosts
                                                                                                         |-> (private IP 2) Main router/firewall - > guests

1.  your private (main) network traffic will have to traverse the "guest" router in order to access the Internet.
      In your case, this isn't likely worthy of concern.
           if you're paranoid about traffic security, this is bad.
2.   the scenario I described should not permit any direct access to your MAIN network
LVL 23

Assisted Solution

Mysidia earned 75 total points
ID: 21790345
Don't plug the WAN port of your main router into the LAN port of your subrouter.

This defeats the additional security you are trying to add: it  makes it possible for a guest
to sniff your traffic  via ARP injection.

You could use three routers A, B, C.

A with WAN -> ISP  Cable/DSL modem.
B,C with WAN ->  router A's LAN ports

B == your home network
C ==  guest network.

To use two routers...

Router A's WAN port -->   Cable/DSL modem

Router B's WAN port --> Router A's LAN port

ROUTER A  subnet
    ROUTER B subnet         /24

Set a static route on Router B  pointing the second half of the subnet
to some ip that doesn't exist on the outer LAN

And then, change the outer LAN's ip range so that the workstations have
IPs  that the inner router   has a static route to prevent it from properly routing.


Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question