Router behind a Router

I have a Verizon Router that I am using for my back office network it also has wireless capability (only one SSID can be configured).  There are 4 Ethernet ports on the Verizon router.  One of the Verizon Ethernet ports is plugged into INTERNET port on a Netgear wireless router.  The Netgear-wireless is used by guests.

My question....Is there anyway that Guest wireless users can see the back office network?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jan SpringerCommented:
sure because you have it backwards.  you are protecting the guests from the company.

your guest network belongs outside (in front of, dmz sideways, whatever).  put that first and your company router behind it.
Fred MarshallPrincipalCommented:
Likely yes but not assuredly.  Not all routers are created equal in this regard.
Consider the attached diagram.

Usually the "private" network would be "downstream" in a cascaded router arrangement like the one you have.
In that case it's possible for computers on the private network to see the computers on the "upper" or more public network - in some cases.  I have seen cases lately where this did NOT work.
And, conversely, it's not possible for computers on the private network to see the computers on the "lower" or private subnet.  For this to work there would at least have to be a route to the lower subnet active either in the computers themselves or, more commonly, on the internet gateway of the upper subnet.

I have also attached a paper re: how subnets in practice....

I'm not sure why the routers might work differently but here is an hypothesis:
- Internet routers are not supposed to route packets to destinations in the private address ranges.  I'm not sure what the RFCs say beyond this such as:
- what if both subnets on a router are in private address ranges?  It seems clear that they must forward to the destinations in that case.  Surely this works if the router is in "router" mode (no NAT) but may be more questionable if it's in "gateway" (NAT) mode.
- what if a router is in "gateway" mode?  Will it route private address destinations from WAN to LAN?
- etc.

Anyway, if you want to prevent the guests from seeing the office computers then I would put the routers in parallel on different subnets.  There's also a diagram of that in the attached.  You'd have to add another router.
In this way there won't be a route to the office subnet unless you set one up in the Verizon router.  And, a route on a guest computer could not address the office subnet.
Let the Verizon subnet be, the Office subnet be and the Guest subnet be all /24.
A computer on the Guest subnet might be
Adding a route would be:
route add -p mask
(where is the Guest router LAN address).
But the Guest router should drop the packets because it has no route to

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
howmad2Author Commented:
To Clarify.  The Verizon (Back Office) IP scheme is  The Netgear Guest IP scheme is   With this new information, do you think someone on the Guest Wireless can see the Back Office network?  If so, how can I verify it....? (ping?, network browsing?).
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Jan SpringerCommented:
if the guest wireless subnet is and it's WAN IP is on the same subnet as everyone else on the back office network, then the is most likey being NATted to the back office subnet.
Fred MarshallPrincipalCommented:
As I understand your network description:
  WAN port IP address / subnet is .... whatever public or private depending.
  Office LAN address on
  WAN port IP address / subnet is 192.168.1.zzz/24
  Guest LAN address 10.10.10.yyy/24
(and yes, it does NAT between these subnets)
So, the Netgear WAN is on the office subnet as is the office internet gateway (Verizon).

PING from any Office LAN computer to any Office LAN computer.  If PING works, good.  If not, fix it.
PING from any Guest LAN computer to any Guest LAN computer.  If PING works, good.   If not, fix it.
PING from any Guest LAN computer to any Office LAN computer.  If PING works, then you can see the Office computers from the Guest network.

One might ask "How does a guest know the office subnet address?  But that's not much security.
Fred MarshallPrincipalCommented:
Another test would be:
From the Guest network RUN:
for any office computer with file sharing enabled.

You should get a response if the computer(s) are visible.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.