Solved

Router behind a Router

Posted on 2014-07-24
6
484 Views
Last Modified: 2014-08-12
I have a Verizon Router that I am using for my back office network it also has wireless capability (only one SSID can be configured).  There are 4 Ethernet ports on the Verizon router.  One of the Verizon Ethernet ports is plugged into INTERNET port on a Netgear wireless router.  The Netgear-wireless is used by guests.

My question....Is there anyway that Guest wireless users can see the back office network?
0
Comment
Question by:howmad2
  • 3
  • 2
6 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40217975
sure because you have it backwards.  you are protecting the guests from the company.

your guest network belongs outside (in front of, dmz sideways, whatever).  put that first and your company router behind it.
0
 
LVL 25

Accepted Solution

by:
Fred Marshall earned 500 total points
ID: 40217984
Likely yes but not assuredly.  Not all routers are created equal in this regard.
Consider the attached diagram.

Usually the "private" network would be "downstream" in a cascaded router arrangement like the one you have.
In that case it's possible for computers on the private network to see the computers on the "upper" or more public network - in some cases.  I have seen cases lately where this did NOT work.
And, conversely, it's not possible for computers on the private network to see the computers on the "lower" or private subnet.  For this to work there would at least have to be a route to the lower subnet active either in the computers themselves or, more commonly, on the internet gateway of the upper subnet.

I have also attached a paper re: how subnets in practice....

I'm not sure why the routers might work differently but here is an hypothesis:
- Internet routers are not supposed to route packets to destinations in the private address ranges.  I'm not sure what the RFCs say beyond this such as:
- what if both subnets on a router are in private address ranges?  It seems clear that they must forward to the destinations in that case.  Surely this works if the router is in "router" mode (no NAT) but may be more questionable if it's in "gateway" (NAT) mode.
- what if a router is in "gateway" mode?  Will it route private address destinations from WAN to LAN?
- etc.


Anyway, if you want to prevent the guests from seeing the office computers then I would put the routers in parallel on different subnets.  There's also a diagram of that in the attached.  You'd have to add another router.
In this way there won't be a route to the office subnet unless you set one up in the Verizon router.  And, a route on a guest computer could not address the office subnet.
Let the Verizon subnet be 192.168.1.0, the Office subnet be 192.168.2.0 and the Guest subnet be 192.168.3.0 all /24.
A computer on the Guest subnet might be 192.168.3.99.
Adding a route would be:
route add -p 192.168.2.0 mask 255.255.255.0 192.168.3.1
(where 192.168.3.1 is the Guest router LAN address).
But the Guest router should drop the packets because it has no route to 192.168.2.0.
Multiple-Subnets.pdf
How-Subnets-Work-in-Practice.pdf
0
 

Author Comment

by:howmad2
ID: 40218035
To Clarify.  The Verizon (Back Office) IP scheme is 192.168.1.0.  The Netgear Guest IP scheme is 10.10.10.0.   With this new information, do you think someone on the Guest Wireless can see the Back Office network?  If so, how can I verify it....? (ping?, network browsing?).
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 28

Expert Comment

by:Jan Springer
ID: 40218065
if the guest wireless subnet is 10.10.10.0/24 and it's WAN IP is on the same subnet as everyone else on the back office network, then the 10.10.10.0/24 is most likey being NATted to the back office subnet.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40218174
As I understand your network description:
Verizon:
  WAN port IP address / subnet is .... whatever public or private depending.
  Office LAN address 192.168.1.xxx on 192.168.1.0/24
Netgear:
  WAN port IP address / subnet is 192.168.1.zzz/24
  Guest LAN address 10.10.10.yyy/24
(and yes, it does NAT between these subnets)
So, the Netgear WAN is on the office subnet as is the office internet gateway (Verizon).

PING from any Office LAN computer to any Office LAN computer.  If PING works, good.  If not, fix it.
PING from any Guest LAN computer to any Guest LAN computer.  If PING works, good.   If not, fix it.
PING from any Guest LAN computer to any Office LAN computer.  If PING works, then you can see the Office computers from the Guest network.

One might ask "How does a guest know the office subnet address?  But that's not much security.
0
 
LVL 25

Expert Comment

by:Fred Marshall
ID: 40218179
Another test would be:
From the Guest network RUN:
\\192.168.1.xxx
for any office computer with file sharing enabled.

You should get a response if the computer(s) are visible.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

DECT technology has become a popular standard for wireless voice communication. DECT devices are not likely to be affected by other electronic devices and signals because they operate in a separate frequency-band.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now