Creating a separate network

[Viper9]

Hello guys,

 

I have a computer lab at home to do computer repairs and I want to separate my home network from this "business" network to be sure that no worms or malicious software affect my home PCs. 

 

So I've setup two routers this way :

 

Modem -->

 

Into the WAN port of router 1 (192.168.0.1) -->

 

Then from one of the LAN port from router 1 to the WAN port of router 2 (192.168.1.1)

 

But I can still access my NAS and printers (which is connected to router 1) from a computer connected to the router 2 even if they're not on the same subnet ?

 

I want two separate network without having to purchase a second internet connection.

 

Can someone help me with this please ? 

 

Thanks !

[tt2468]

5 minutes ago, Viper9 said:

Hello guys,

 

I have a computer lab at home to do computer repairs and I want to separate my home network from this "business" network to be sure that no worms or malicious software affect my home PCs. 

 

So I've setup two routers this way :

 

Modem -->

 

Into the WAN port of router 1 (192.168.0.1) -->

 

Then from one of the LAN port from router 1 to the WAN port of router 2 (192.168.1.1)

 

But I can still access my NAS and printers (which is connected to router 1) from a computer connected to the router 2 even if they're not on the same subnet ?

 

I want two separate network without having to purchase a second internet connection.

 

Can someone help me with this please ? 

 

Thanks !

The issue is that having two nats daisychained doesnt block anything. You should maybe check our the edgerouter lite, as it is programmable to completely block access from one lan to the next.

[Mark77]

You should be able to, however there might be some issues with 'auto-discovery' or similar because computers in your 2nd 'network' sitting behind that NAT wouldn't be part of the same broadcast domain as the first network. 

 

The issue you're going to run into with a NAS is performance.  Most consumer routers simply aren't very fast.   And since the router has to do full NAT (as opposed to Ethernet switching), your performance may be significantly limited as most consumer-level 'routers' are not designed for more than a few tens of megabits of traffic.

 

Personally I'd prefer to do something with VLANs, a proper routing/firewall framework (either in Cisco, or just something running off of a Linux or BSD* machine) and setting up proper firewall rules.  But in a pinch, what you suggest should work.  Think of it as a learning experience!

[Viper9]

1 minute ago, Mark77 said:

You should be able to, however there might be some issues with 'auto-discovery' or similar because computers in your 2nd 'network' sitting behind that NAT wouldn't be part of the same broadcast domain as the first network. 

 

The issue you're going to run into with a NAS is performance.  Most consumer routers simply aren't very fast.   And since the router has to do full NAT (as opposed to Ethernet switching), your performance may be significantly limited as most consumer-level 'routers' are not designed for more than a few tens of megabits of traffic.

 

Personally I'd prefer to do something with VLANs, a proper routing/firewall framework (either in Cisco, or just something running off of a Linux or BSD* machine) and setting up proper firewall rules.  But in a pinch, what you suggest should work.  Think of it as a learning experience!

Hi Mark,

 

I only repair one laptop at a time and I don't have a lot of device on my home network so performance isn't a huge issue. I just need to know which settings should I change to not be able to access my NAS from the second network. 

 

FYI my NAS is on the 192.168.0.1 subnet and the computer I've tested it with was on the 192.168.1.1 subnet. I don't understand why they can talk to each other. But a computer on the 192.168.0.1 subnet can't ping the router on the 192.168.1.1 subnet.

[Doramius]

I think I'm getting you network laid out, but it might be easier if you could draw out the connections.  I might be able to get you steered into a direction or get you a little more help if you can post a visualization of your current network, and/or how you are wanting to get it connected.  I may redraw it using Packet Tracer.  Packet Tracer is a free program, if you want to try it on your own.  However, it can be a bit tricky to use if you've never played with it before.  

 

Here's a link to some Plex networks I've setup, using Packet tracer.  Some of the icons are custom, so they may not be available, but it should help you see how you can layout your network.

 

https://forums.plex.tv/discussion/153844/various-plex-network-setups

 

[Timothy11]

You will need to plug both routers directly into the modem (or plug the modem into a separate switch and connect the wan port of the routers to the switch if you do not have enough ports on the modem).

 

This will result in 3 sub nets.

1. Modem as Gateway/DHCP/DNS and both routers as clients.
2. Home Router as Gateway/DHCP/DNS, home computers as clients.
3. Work Router as Gateway/DHCP/DNS, work computers as clients.

use google dns as the secondary DNS for all subnets.

[SCHISCHKA]

I regularly connect customer computers on my network and to internet. Running a Linux box instead of a switch has its benefits. If you are trying to sandbox your stuff from the foreign threat to your network a Linux box is the easiest way. You can also do packet inspection

[Viper9]

6 hours ago, Timothy11 said:

You will need to plug both routers directly into the modem (or plug the modem into a separate switch and connect the wan port of the routers to the switch if you do not have enough ports on the modem).

 

This will result in 3 sub nets.

1. Modem as Gateway/DHCP/DNS and both routers as clients.
2. Home Router as Gateway/DHCP/DNS, home computers as clients.
3. Work Router as Gateway/DHCP/DNS, work computers as clients.

use google dns as the secondary DNS for all subnets.

I've done one on paint (since I don't have packet tracer).

 

Click here to see the network drawing

 

Do you think it can have something to do with the gateways ? The gateway for router 2 is himself and I've setup Google's DNS on it like I've done on router 1 ?

6 hours ago, SCHISCHKA said:

I regularly connect customer computers on my network and to internet. Running a Linux box instead of a switch has its benefits. If you are trying to sandbox your stuff from the foreign threat to your network a Linux box is the easiest way. You can also do packet inspection

I'm not sure what you're talking about with a linux box, you use this device right after the modem and plug both routers into it ? 

[SCHISCHKA]

47 minutes ago, Viper9 said:

I'm not sure what you're talking about with a linux box, you use this device right after the modem and plug both routers into it ? 

It plugs into modem and it is a router

[Doramius]

SO I see your network as the following.  You said you had a printer?  Do you need all PCs to connect to the printer?  What models are the modem & routers?  models are only needed as far as ports and connectivity.  Standard private ABC Class IP ranges are okay, but please don't post personal outside IP addresses.

 

 

[Mikensan]

Your first tier router needs to unbridge the port that your second tier router plugs in to. Because your first router bridges all 4 ports then your second "network" will be able to communicate to everything else on the first tier router. 

 

If your first tier router does not offer this ability, then you're SOL using what you have. It's an uncommon feature in home production routers.

 

Your other option is find an old computer and turn it into a pfSense/RouterOS (or any other flavor of home firewall/router) and use that to separate your traffic.

 

 

Edit: I forgot to mention you could setup a VLAN which is slightly more common in home routers nowadays but that is a PITA to setup if you've never dealt with VLANs before. Unbridging the port is much simpler.

[Doramius]

20 hours ago, Mikensan said:

Your first tier router needs to unbridge the port that your second tier router plugs in to. Because your first router bridges all 4 ports then your second "network" will be able to communicate to everything else on the first tier router. 

 

If your first tier router does not offer this ability, then you're SOL using what you have. It's an uncommon feature in home production routers.

 

Your other option is find an old computer and turn it into a pfSense/RouterOS (or any other flavor of home firewall/router) and use that to separate your traffic.

 

 

Edit: I forgot to mention you could setup a VLAN which is slightly more common in home routers nowadays but that is a PITA to setup if you've never dealt with VLANs before. Unbridging the port is much simpler.

I was personally thinking VLAN, myself.  However, depending on the model of the router you can do some manual routing.  Either way, it's going to be some hassle.  Unless the firmware can be re-flashed with an open firmware [IE: DD-WRT, OpenWRT, Tomato, etc.], I don't know of many home routers that have this ability.  Those that do, usually have these Open firmwares preinstalled.  This is why the models of the modem/routers is important.

[Viper9]

On 05/01/2017 at 1:46 PM, Doramius said:

SO I see your network as the following.  You said you had a printer?  Do you need all PCs to connect to the printer?  What models are the modem & routers?  models are only needed as far as ports and connectivity.  Standard private ABC Class IP ranges are okay, but please don't post personal outside IP addresses.

 

 

Hello,

 

The second network doesn't need to access the printer it only needs to access the internet and not be able to access my network printer and NAS that are on my main network. But yeah the drawing you've is the right representation of my actual network, it's just that now the PC under the second router can still acces other device on my main network and that's not what I want.

[Doramius]

If that's the case, Is there a reason why the networks cannot be swapped.  The second network is internal, and the work is external facing.  The second router NAT and firewall would naturally block the first network.  And MAC & IP bandwidth adjusting is available on more routers than bridging and manual routing would be.  Heck of a lot easier to deal with, too.  However, if you need to open ports (IE: gaming, external access for media servers, FTP, etc.) on the second router, you must also open them on the first router.  See below:

 

Still needing the models of the modem/routers.  

 

[Viper9]

On 1/6/2017 at 4:32 PM, Doramius said:

If that's the case, Is there a reason why the networks cannot be swapped.  The second network is internal, and the work is external facing.  The second router NAT and firewall would naturally block the first network.  And MAC & IP bandwidth adjusting is available on more routers than bridging and manual routing would be.  Heck of a lot easier to deal with, too.  However, if you need to open ports (IE: gaming, external access for media servers, FTP, etc.) on the second router, you must also open them on the first router.  See below:

 

Still needing the models of the modem/routers.  

 

It could be an option. What if I put a switch after the modem and then from there split the network on each router ? Do you think I'll have the result I want without having the mess with port forwarding for gaming ? 

[jagdtigger]

@Viper9

Just null route the IP of the NAS in the second router.

[Timothy11]

On 1/11/2017 at 6:19 PM, Viper9 said:

It could be an option. What if I put a switch after the modem and then from there split the network on each router ? Do you think I'll have the result I want without having the mess with port forwarding for gaming ? 

This is what I said ages ago.

On 1/3/2017 at 7:17 PM, Timothy11 said:

You will need to plug both routers directly into the modem (or plug the modem into a separate switch and connect the wan port of the routers to the switch if you do not have enough ports on the modem).

 

This will result in 3 sub nets.

1. Modem as Gateway/DHCP/DNS and both routers as clients.
2. Home Router as Gateway/DHCP/DNS, home computers as clients.
3. Work Router as Gateway/DHCP/DNS, work computers as clients.

use google dns as the secondary DNS for all subnets.

 

I have attached a network layout.

Routers are in 2 sub nets, the upstream IP information can be picked up from the upstream routers dhcp but the downstream IP address must be the gatway from the downstream subnet.

 

Here is a sample configuration for each of the subnets...

1. SubNet 1 - 192.168.1.x

• Gatway 192.168.1.1
• dns 192.168.1.1, 8.8.8.8

      2. SubNet 2 - 192.168.2.x

• Gatway 192.168.2.1
• dns 192.168.2.1, 8.8.8.8

     3. SuNet 3 - 192.168.3.x

• Gatway 192.168.3.1
• dns 192.168.3.1, 8.8.8.8

This should work.

[LAwLz]

Pretty sure this can't be done with consumer grade routers. To do it properly, you need VLAN support.

[Lurick]

14 minutes ago, LAwLz said:

Pretty sure this can't be done with consumer grade routers. To do it properly, you need VLAN support.

Not only VLAN support but also the ability to block by VLAN ID. While those two should go together there are instances where they for whatever reason aren't included on the same box.

[Mikensan]

Modems bridge their IP to the device they're plugged in to, so plugging it into a switch doesn't help. Unless the modem is a router all in one, that's a different story.

[Viper9]

7 hours ago, Timothy11 said:

This is what I said ages ago.

 

I have attached a network layout.

Routers are in 2 sub nets, the upstream IP information can be picked up from the upstream routers dhcp but the downstream IP address must be the gatway from the downstream subnet.

 

Here is a sample configuration for each of the subnets...

1. SubNet 1 - 192.168.1.x

• Gatway 192.168.1.1
• dns 192.168.1.1, 8.8.8.8

      2. SubNet 2 - 192.168.2.x

• Gatway 192.168.2.1
• dns 192.168.2.1, 8.8.8.8

     3. SuNet 3 - 192.168.3.x

• Gatway 192.168.3.1
• dns 192.168.3.1, 8.8.8.8

This should work.

First of all, thanks for your help. 

 

But the modem is not a all in one modem like some ISP, it's only a modem so a bridge. So would it be the same thing ? 

 

Subnet 1: 192.168.0.1

 

Subnet 2: 192.168.1.1

 

And for the DNS do I only put Google's DNS since the routers won't be connected together ? 

 

Thanks. 

[Timothy11]

What model is the modem? most have routing/dhcp/dns built in even the basic ones.

 

You can use any sub nets that you want as long as SubNet1 is not the same as SubNet2 or SubNet3.

 

Use the Gatway router as the primary DNS and Google as the secondary. This is the simplest way to guarantee DNS resolution of computers on the SubNet and Internet. 

[Doramius]

Any of these devices can have extremely various types of setups, which is why we keep asking what the models of the modems, routers, and switches are.  This is important information in the help.  Modems generally do have DHCP, however, some companies "TRY" to make things easier for consumers and limit the addressing to a single address, as there is frequently only one output network port.  It's not always the case, especially with many consumer ISPs wanting to provide telephony.  Putting a switch right after the modem 'could' work if the modem supports it, as Timothy11 had stated earlier.  This is why understanding and developing the layout of the network is important.  Overall, a switch was not initially provided as a hardware option, which is why I haven't created a network diagram with one.  It is a viable option if the modem supports it.  As for the DNS, there is a wide array of options you can use, however, there are best practice options that are more traditionally used.  An example is using a primary gateway as the DNS, and an additional option as a secondary.  As of late, Google's is frequently used, but I've seen 4.2.2.2, Yahoo, Open DNS addresses, and many others.

[Mikensan]

Just had a quick idea... On the second layer router, if you change the WAN's subnet to something smaller, it will block traffic to the rest of router 1's network.

 

This is not bullet proof and could be circumvented, however it blocks it.

 

So let's say Router 1's IP address is 192.168.1.1/24, then router 2's WAN IP should be 192.168.1.2/30 (I believe anyway, my subnetting is pretty bad)...

 

 

Edit or on Router #2, it should have some basic firewalling in which you could create a custom rule...

[Viper9]

On 1/12/2017 at 5:13 PM, Timothy11 said:

What model is the modem? most have routing/dhcp/dns built in even the basic ones.

 

You can use any sub nets that you want as long as SubNet1 is not the same as SubNet2 or SubNet3.

 

Use the Gatway router as the primary DNS and Google as the secondary. This is the simplest way to guarantee DNS resolution of computers on the SubNet and Internet. 

The model of my modem is an Arris TM722.

 

And I've tried with a switch and it doesn't work... Basically I've put the switch after the modem and just one of my router can give access to internet now (which is my main one 192.168.0.1).

 

I guess I cannot do it with a switch for some reason ???

 

So if I try the first method again which is to plug router 2 WAN port into router 1 LAN port, what are the settings that I need to change so that the devices connected to router 2 cannot access my NAS and other computers connected to router 1 ?

 

Thanks.