Solved

Router behind a Router

Posted on 2014-07-24
6
487 Views
Last Modified: 2014-08-12
I have a Verizon Router that I am using for my back office network it also has wireless capability (only one SSID can be configured).  There are 4 Ethernet ports on the Verizon router.  One of the Verizon Ethernet ports is plugged into INTERNET port on a Netgear wireless router.  The Netgear-wireless is used by guests.

My question....Is there anyway that Guest wireless users can see the back office network?
0
Comment
Question by:howmad2
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 40217975
sure because you have it backwards.  you are protecting the guests from the company.

your guest network belongs outside (in front of, dmz sideways, whatever).  put that first and your company router behind it.
0
 
LVL 26

Accepted Solution

by:
Fred Marshall earned 500 total points
ID: 40217984
Likely yes but not assuredly.  Not all routers are created equal in this regard.
Consider the attached diagram.

Usually the "private" network would be "downstream" in a cascaded router arrangement like the one you have.
In that case it's possible for computers on the private network to see the computers on the "upper" or more public network - in some cases.  I have seen cases lately where this did NOT work.
And, conversely, it's not possible for computers on the private network to see the computers on the "lower" or private subnet.  For this to work there would at least have to be a route to the lower subnet active either in the computers themselves or, more commonly, on the internet gateway of the upper subnet.

I have also attached a paper re: how subnets in practice....

I'm not sure why the routers might work differently but here is an hypothesis:
- Internet routers are not supposed to route packets to destinations in the private address ranges.  I'm not sure what the RFCs say beyond this such as:
- what if both subnets on a router are in private address ranges?  It seems clear that they must forward to the destinations in that case.  Surely this works if the router is in "router" mode (no NAT) but may be more questionable if it's in "gateway" (NAT) mode.
- what if a router is in "gateway" mode?  Will it route private address destinations from WAN to LAN?
- etc.


Anyway, if you want to prevent the guests from seeing the office computers then I would put the routers in parallel on different subnets.  There's also a diagram of that in the attached.  You'd have to add another router.
In this way there won't be a route to the office subnet unless you set one up in the Verizon router.  And, a route on a guest computer could not address the office subnet.
Let the Verizon subnet be 192.168.1.0, the Office subnet be 192.168.2.0 and the Guest subnet be 192.168.3.0 all /24.
A computer on the Guest subnet might be 192.168.3.99.
Adding a route would be:
route add -p 192.168.2.0 mask 255.255.255.0 192.168.3.1
(where 192.168.3.1 is the Guest router LAN address).
But the Guest router should drop the packets because it has no route to 192.168.2.0.
Multiple-Subnets.pdf
How-Subnets-Work-in-Practice.pdf
0
 

Author Comment

by:howmad2
ID: 40218035
To Clarify.  The Verizon (Back Office) IP scheme is 192.168.1.0.  The Netgear Guest IP scheme is 10.10.10.0.   With this new information, do you think someone on the Guest Wireless can see the Back Office network?  If so, how can I verify it....? (ping?, network browsing?).
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 
LVL 28

Expert Comment

by:Jan Springer
ID: 40218065
if the guest wireless subnet is 10.10.10.0/24 and it's WAN IP is on the same subnet as everyone else on the back office network, then the 10.10.10.0/24 is most likey being NATted to the back office subnet.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 40218174
As I understand your network description:
Verizon:
  WAN port IP address / subnet is .... whatever public or private depending.
  Office LAN address 192.168.1.xxx on 192.168.1.0/24
Netgear:
  WAN port IP address / subnet is 192.168.1.zzz/24
  Guest LAN address 10.10.10.yyy/24
(and yes, it does NAT between these subnets)
So, the Netgear WAN is on the office subnet as is the office internet gateway (Verizon).

PING from any Office LAN computer to any Office LAN computer.  If PING works, good.  If not, fix it.
PING from any Guest LAN computer to any Guest LAN computer.  If PING works, good.   If not, fix it.
PING from any Guest LAN computer to any Office LAN computer.  If PING works, then you can see the Office computers from the Guest network.

One might ask "How does a guest know the office subnet address?  But that's not much security.
0
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 40218179
Another test would be:
From the Guest network RUN:
\\192.168.1.xxx
for any office computer with file sharing enabled.

You should get a response if the computer(s) are visible.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question